0

Anyone here knows how can I use built-in functions(case) in a Splunk Query? All examples I found were to handle the query results (I can not put it after eval or | )

I need something like.

index=case(indexVar == "qa", "qa-all", indexVar == "prod", "prod-all") sourcetype="kube:container:rail-service"

OBS I can not just concat the indexVar + "-all"

Alexsandro Souza
  • 806
  • 7
  • 14
  • Does something like this help? https://stackoverflow.com/a/71541775/2193968 If I translate that correctly I get `sourcetype="kube:container:rail-service" [| makeresults | eval search=case(indexVar="qa","index=qa-all", indexVar="prod","index=prod-all") | fields search]` Let me know if that works... – Jerry Jeremiah Aug 24 '22 at 23:06
  • If https://stackoverflow.com/a/58652167/2193968 is right something like `((indexVar="qa" index="qa-all") OR (indexVar="prod" index="prod-all")) sourcetype="kube:container:rail-service"` would work – Jerry Jeremiah Aug 24 '22 at 23:15
  • It didn't really work. How would I use the bar indexVar? I tried with $indexvar$ and didn't work – Alexsandro Souza Aug 25 '22 at 18:42

1 Answers1

3

The case function may be built-in, but that doesn't mean you can use it anywhere. It's only valid with the eval, fieldformat, and where commands.

A workaround would be to put the eval in a subsearch.

sourcetype="kube:container:rail-service" [ 
  | makeresults 
  | eval index=case(indexVar == "qa", "qa-all", indexVar == "prod", "prod-all") 
  | fields index ]
RichG
  • 9,063
  • 2
  • 18
  • 29
  • How it will be considering that the final query should be index ="qa-all"? Anyway it didn't work – Alexsandro Souza Aug 25 '22 at 18:44
  • What does `it didn't work` mean? What results did you get? Try running the subsearch (the bit between `[]`) by itself and verify the expected results are returned. Where does `indexVar` come from? – RichG Aug 25 '22 at 18:53
  • To make it easier I am testing it like ` [ | makeresults | eval index=case("qa" == "qa", "qa-all", "p" == "prod", "prod-all") | fields index ] ` NO results is found. – Alexsandro Souza Aug 25 '22 at 20:48
  • Sorry. It actually worked – Alexsandro Souza Aug 25 '22 at 20:49
  • how can I use the dashboard token in this query? I am using $indexVar$ but it doesn't work. Your query works fine when I am not using the token. – Alexsandro Souza Aug 25 '22 at 20:59
  • The `$indexVar$` syntax is correct. Check the token name is correct. Of course, tokens are not present when running a query in a Search box. – RichG Aug 25 '22 at 21:05
  • 1
    This is the final query that worked for me when applied to a dashboard `sourcetype="kube:container:rail-service" [ | makeresults | eval index=case("$indexVar$" == "qa", "qa-all", "$indexVar$" == "prod", "prod-all") | fields index ]` The missing part was the `""` around the variable – Alexsandro Souza Aug 26 '22 at 15:22