- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to use a value created with eval to search...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use a value created with eval to search my events for a particular line of text?
Hi,
I am trying to use a value from an eval as search data. I am searching my events for a particular line of text and not by a field or value.
This search will return any events with the text "DeployError" without using an eval
index="123" sourcetype="abc" host="xyz" source=$sourceType$ "DeployError" User | timechart count by User
Based on the $sourceType$ token, the eval will have a different value. I would like to make the same type of search as above with the eval value. This is what I have tried, but it does not work.
index="123" sourcetype="abc" host="xyz" source=$sourceType$ User | eval errorType=case(source=="/logs/proxy-service.log","\"DeployError\"", source=="/logs/service.log","\"BuildError\"")| search errorType | timechart count by User
Any help here would be much appreciated. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its possibly a typo in here, but your search errorType will only return events with the text errorType. Should be search errorType=*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would need to use a subsearch, like this
Updated
index="123" sourcetype="abc" host="xyz" source=$sourceType$ User [ | gentimes start=-1 | eval search=case(match("$sourceType$","/logs/proxy-service.log"),"\"DeployError\"", match("$sourceType$","/logs/service.log"),"\"BuildError\"",1=1," ") | table search ] | timechart count by User
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey somesoni2,
Thanks for your answer, I gave this a try but I am still getting no results found.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try the updated answer. Also, could you provide some sample value for the field source? Does it match exactly with "/logs/proxy-service.log"?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey somesoni2,
Thanks again, but still no joy. Yes the source and value are the exact same, what I have provided here is made up values of what I cam doing, for confidentiality, but everything does match exactly in the real version.
index="123" sourcetype="abc" host="xyz" source=$sourceType$ User | eval errorType=case(source=="/logs/proxy-service.log","\"DeployError\"", source=="/logs/service.log","\"BuildError\"")| search errorType | timechart count by User
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
