Splunk Search

search on variable

scottfoley
Explorer

I have a dashboard where I select the type of item I want to look for in an IIS log. What I look for is a regular expression, but I can show the problem using a simple wildcard.

| eval search_stem = "/item/*"
| search cs_uri_stem = search_stem

This returns nothing. If I replace the search with the actual string it works fine.

| search cs_uri_stem = "/item/*" 

The cs_uri_stem searched for will be a regex expression. Something like this, but more complicated regex and items.

 sourcetype=iis 
| eval search_stem = case (
   $selection$="item1","/item1/.*",
   $selection$="item2","/item2/.*",
   $selection$="item3","/item3/.*"
)
| regex cs_uri_stem=search_stem
| table  cs_uri_stem search_stem

I use the table to show that the search_stem is correct. I can't seem to get a trivial example working where I base a search on a variable that contains a wildcard. A similar question to this was answered using the where clause, but that does not work with wildcards or regex.

Any suggestions?

I am using Splunk Cloud 7.0.11.1

0 Karma
1 Solution

ololdach
Builder

Hi scottfoley,
the easiest solution would be to define a drop down field to select the stem and add the label/value pairs so that for example the first label reads Item1 and the first value reads /item1/.*. Call the token selection. Now, if you select "Item1" from the list, the value of selection will be /item1/.* Use it in your search like such: sourcetype=iis | regex cs_uri_stem="$selection$" | eval search_stem="$selection$" | table cs_uri_stem search_stem
With dynamic stems, you could also dynamically fill the dropdown values from a search.

View solution in original post

0 Karma

ololdach
Builder

Hi scottfoley,
the easiest solution would be to define a drop down field to select the stem and add the label/value pairs so that for example the first label reads Item1 and the first value reads /item1/.*. Call the token selection. Now, if you select "Item1" from the list, the value of selection will be /item1/.* Use it in your search like such: sourcetype=iis | regex cs_uri_stem="$selection$" | eval search_stem="$selection$" | table cs_uri_stem search_stem
With dynamic stems, you could also dynamically fill the dropdown values from a search.

0 Karma

scottfoley
Explorer

That works. That was my end goal, but I wonder why my example did not work. Still my example was contrived and not something that someone would normally do. I was just testing things outside of a dashboard.

Thanks

0 Karma

ololdach
Builder

Hi scottfoley, it appears that splunk treats the content of a variable different from literal values in a search command. Variables don't pass through the wildcard processing. Dashboard tokens, however, are being treated as literal values. If you want to implement it somewhat like in your example, try ...|where cs_uri_stem like search_stem."%"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...