Search code examples
splunksplunk-querysplunk-dashboard

How do I transform array in search or elsewhere in dashboard

I have a search that is working fine

index=event_db environment=prod release = 2020150015 
| timechart count as Events

However, I'd like to modify this to search for any release in an array of releases. I'm aware of the "in" operator.

The catch is that the array of releases I've been provided ("Releases") is formatted slightly differently like so:

[ver2020.15.0015, ver2020.15.0016, ver2020.22.0019]  // in general, many more than 3!

Is there a way to use the in operator and some mapping to get release in

[2020150015, 2020150016, 2020220019] ?

Can this be put in the search?

This is part of a panel so if it's simpler I could have code elsewhere to convert [ver2020.15.0015, ver2020.15.0016, ver2020.22.0019] into [2020150015, 2020150016, 2020220019]

However, as mentioned I'm a newbie so my knowledge of where to put code to transform an array is limited :)

I have a fieldset section and a panel with a query in it.

The "Releases" array is populated in the fieldset section as so:

<input type="text" token="Releases">
  <label>Release or Releases</label>
  <default>*</default>
</input>

The user enters ver2020.15.0015 or perhaps ver2020.15.*.

I can't just have the user enter 2020150015 as the ver2020.15.0015 format is used elsewhere.

Perhaps there's a way to create new field Releases_Alt right after getting this?

Let me know of any other info I can provide. As I said, I'm new to Splunk so I'm still struggling with terminology.

Solution

  • Try this query. It uses a subsearch to build the IN argument. Subsearches in Splunk run before the main search and the output of the subsearch replaces the subsearch itself.

    index=event_db environment=prod release IN ( 
    [ | makeresults 
    | eval Releases=replace ($Releases|s$, "[ver\.]+","") 
    | return $Releases ] )
| timechart count as Events

    The makeresults command is there because even subsearches have to start with a generating command. makeresults creates a "dummy" event that allows other commands to work.

    The eval command does the work of converting release versions into the desired format. Note the use of |s with the Releases token. This construct ensures the contents of the token are enclosed in quotation marks, which is expected by the replace function.

    Finally, the return command with $ returns the results of the eval, but without the field name itself. Without it, the subsearch would return releases="2020150015, 2020150016, 2020220019", which wouldn't work.