Splunk Search

How to pass string fields to search commands to use in parameters

neiljpeterson
Communicator

I am always looking for ways to DRY up my Splunk searches.

Here is a pattern I find myself repeating

index=<your base search here>
| eval field_combo=index."#".source."#".sourcetype."#".<something, something, dark side>
| timesearch <function> by field_combo
| <do some other stuff>
| makemv delim="#" field_combo
| table <some fields and other stuff>

We could DRY this up to be

index=<your base search here>
| delimer="#"
| eval field_combo=index.delimer.source.delimer.sourcetype.delimer.<something, something, dark side>
| timesearch <some function> by field_combo
| <do some other stuff>
| makemv delim=delimer field_combo
| table <some fields and other stuff>

But this line

| makemv delim=delimer field_combo

is not kosher. Splunk does not complain, but it does not work either.

I tried tostring() but same result.

This is an oversimplified example, but similar situations are common. I want to use eval'ed strings in search commands to make searches more maintainable. But how?

0 Karma

woodcock
Esteemed Legend

The only fully templatizable command in SPL is map (but you do have to be careful because it runs the entire inner search for every event in the outer search). Try this:

|noop|stats count| eval delimer="#"
| map search="|noop|stats count|eval index=\"index\"|eval source=\"src\"|eval sourcetype=\"st\"
| eval field_combo = index . $delimer$ . source . $delimer$ . sourcetype | makemv delim=\"$delimer$\" field_combo"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...