Splunk Search

Differentiate between environments in a search

Bob_Bard
Explorer

I am building our new dashboards and alerts in our Acceptance environment, later we will move the whole app to Production. The issue at the moment is that on Acceptance file transfers are named like A03811 and on Production this file transfer is P03811. I don't want to change all of the searches that need to differentiate between the environments after we deploy the app to Production so I am trying to find a way to check the environment in the search and change things accordingly.

What suggestion do you have to deal with this?

0 Karma

niketn
Legend

Lets sat your fieldname for file is filename, i.e. filename="A03811" and filename="P03811" for Acceptance and Prod environment respectively

Eventtype for Acceptance Environment:

getEnvFiles -->  <YourBaseSearchWithIndexSourceType_etc> filename="A*"

Eventtype for Prod Environment:

getEnvFiles --> <YourBaseSearchWithIndexSourceType_etc>  filename="P*"

Then in your dashboard search you can use the following which will be the same for both environments:

 eventtype="getEnvFiles" filename="*03811"

Also for manually setting environment, you can define macro with env parameter as A or P

setEnv("A") or setEnv("P")

which set the eventtype similar to getEnvFiles i.e. for example when the macro argument is "A"

<YourBaseSearchWithIndexSourceType_etc> filename="A*" 

Let me know if this is sufficient or you need further details.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Bob_Bard
Explorer

Thank you! I am going to try this out.

0 Karma

damiensurat
Contributor

Assuming all of the data is sent to the same indexers, You could add an input (drop-down / multiselect / radio button) to your dashboards (in essence making it a form) and pass a token to the search in place of the filename. If your not familiar on how to do this I would suggest reading up on it. See: http://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens

Look for the "define tokens in inputs" section. This can also be done via the gui by going to your dashboard, click edit, click add input, [ choose your input type ] and then fill out in the sections. If you need more help let me know.

0 Karma

Bob_Bard
Explorer

I did consider this option. But that isn't going to work in an alert. Also it would be a fairly pointless form input since Splunk A and Splunk P are on different servers.

0 Karma

niketn
Legend

@Bob_Bard, in your existing App in the acceptance environment do you have logic around Filename starting with A? Or are you using the file name as is for display? Also what is the field for filename?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Bob_Bard
Explorer

@niketnilay, I am not sure I understand what you are asking. A03811 is a file transfer that moves some blabla842.csv file to a different location. All the file transfers in our acceptance environment start with an A and all the corresponding ones in production start with a P. When a file transfer has occurred we log the status (either "success" or "failed"). I want to put the failed ones on a dashboard. Everything works fine, except that when I would move the app to production it would look for file transfer A03811 and find nothing. It needs to look for P03811 instead.

0 Karma

niketn
Legend

@Bob_Bard, I wanted to confirm the dependency on file transfer A03811. What exactly in your app refers to this? Or rather how is it hard-coded? Is it a field, index, sourcetype or something else?

In our case we had two indexes one for stage (index="stage_blahblah") and another one for prod (index="blahblah").

We had created the same eventtype in stage and prod which was referred by macro call with argument as stage or prod.

In case of stage the event type was somename to set index="stage_blahblah" and macro call was setEnv("stage")
In case of stage the event type was also somename to set index="blahblah" and macro call was setEnv("prod")

This way the dashboard code remained the same just that we had to change event type definition in stage and prod. Also manually we could just change the argument of setEnvironment macro to override settings to switch from one environment to another (like smoke testing prod environment etc.)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Bob_Bard
Explorer

Ah, A03811 would be a field.

I hadn't yet thought of using a macro. I could have a macro that simply expands into A or P and use that in a replace.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...