问题
I have a use-case where I want to set the value to a variable based on the condition and use that variable in the search command.
Example:- I want to check the condition
if account_no=818
then var1="vpc-06b"
else var1="*"
I tried
...|eval val1=case(acc_no==818,"vpc-06b",acc_no!=818,"*")|search vpc_id=val1
but I am not getting any event. If I am trying
...|search vpc_id=vpc-06b
then, as a result, I am getting the expected output.
回答1:
index=... (acc-number=818 AND (vpc_id="vpc-078" OR vpc_id="vpc-02c" )) OR (acc-number!=818 AND vpc_id="*")
(You don't actually need the ANDs, I'm just including them to make it clearer. The following is also acceptable.
index=... (acc-number=818 (vpc_id="vpc-078" OR vpc_id="vpc-02c" )) OR (acc-number!=818 vpc_id="*")
回答2:
Do you have the field vpc_id extracted? If you do the search ... | stats count by vpc_id, do you get results split by vpc_id?
The reason I ask this is that your second search shouldn't work, ...|search vpc_id=vpc-06b. What I expect would work, if you had the field extracted, would be ...|search vpc_id="vpc-06b". If the second case works, then your logic with the case statement is correct.
I'm going to assume that the field has not been extracted properly. In that case, I suggest you try the following. I use the rex command to force the field to be extracted, then use that in the comparison.
... | rex field=_raw "vpc_id=(?<vpc_id>\S+)" | eval val1=case(acc_no==818,"vpc-06b",acc_no!=818,"*") | where vpc_id=val1
来源:https://stackoverflow.com/questions/58622256/assign-a-value-to-the-variable-in-splunk-and-use-that-value-in-the-search