Splunk Search

Create a new variable within a search

nebel
Communicator

Hi,

I'd like to use the top command in my search. The problem is, that the fields which I want to top can change if the sourcetype change.

sourcetype=windows than top eventlog
sourcetype=others than linux_messages

My idea was the following

sourcetype=windows | eval os = if(sourcetype="windows","eventlog","linux_messages") | top os

With "top os" Splunk only displays "eventlog" (as logical). But "eventlog" is also a field. I want that Splunk replace the "top os" to "top eventlog".

Is there a way to to this?

Thank you

Tags (3)
0 Karma
1 Solution

melting
Splunk Employee
Splunk Employee

I have used macros in the past to help with this. You could use the stringreplace to pick which macro to use.

So you would have at least two search macros. oslogs-windows and oslogs-linux

In the search you can refer to them like
.... | oslogs-$os$
so when os is linux it will use the oslogs-linux macro, and when windows it uses theoslogs-windows` macro

View solution in original post

0 Karma

melting
Splunk Employee
Splunk Employee

I have used macros in the past to help with this. You could use the stringreplace to pick which macro to use.

So you would have at least two search macros. oslogs-windows and oslogs-linux

In the search you can refer to them like
.... | oslogs-$os$
so when os is linux it will use the oslogs-linux macro, and when windows it uses theoslogs-windows` macro

0 Karma

melting
Splunk Employee
Splunk Employee

Your welcome, I am glad it worked.

0 Karma

nebel
Communicator

I am really thankful for your answer! worked great 🙂

0 Karma

sdaniels
Splunk Employee
Splunk Employee

What exactly are wanting to do this for? Why does separate searches work for you since the data and fields are different?

You could do something like this:

* | eval something = if(sourcetype="windows", eventlog, someotherfield) | top something

First you need to remove "sourcetype=windows" because you are only going to get that result when you have already filtered on windows prior to the 'if' statement. In this case, if it's windows it's going to top the eventlog field for you. For everything else it's going to choose someotherfield which would need to be common among the other stuff you want to look at.

0 Karma

nebel
Communicator

thanks! But I think we have a misunderstanding.

I have Windows and Linux logs. I also have one dashboard and on that dashboard I have a drop down to switch between Windows and Linux.

I see for instance the top Windows/Linux error messages. I wan't to realize this in one search. With a drop down, I choose the sourcetype (windows/linux) but the top command is the problem because the fields in windows and linux are different. In windows it is eventlog and in linux it is messages. The idea was to populate the top command by a if command which recognize which sourcetype is choosed...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...