Searching with parameters

In Splunk, searches can be initiated in both Splunk Web as well as in the Splunk command-line interface or CLI (for information on how to access the CLI and find help for it, refer to the SplunkAdmin manual).

Your searches in CLI work the same way as searches in Splunk Web, except that there is no timeline given with the search results and there is no default time range. Instead, the results are displayed as a raw events list or a table, depending on the type of your search. Searching parameters (such as batch, header, and wrap) are options that control the way the CLI search is run or the way the search results are displayed.

Note

In addition to Splunk Web and Splunk CLI, there is an applications programming interface (API) available, which Splunk programmers can use to perform searches and manage Splunk configurations and objects.

Searching with the CLI will not be covered in this book, so our discussion on searching with parameters will focus on the (advanced) searching idea of parameterizing portions of a Splunk search, using statements such as eval and also segue into our next section, Splunk macros.

In Splunk searches, you have the ability to parameterize a search through the use of the eval statement. This means that a search can be written to take as its search criteria the current value of the following:

• A single field
• A portion of a field or fields
• Multiple fields
• A calculated value
• A logically built value

The eval statement

The Splunk eval statement will evaluate (almost) any expression and put the resulting value into a (required) field that can be used (as a parameter) by a Splunk search. Its syntax is simple:

eval <eval-field>=<eval-expression>

It has the following parameters:

• eval-field: This is the destination (string) field name for the resulting value
• eval-expression: This is a combination of values, variables, operators, and functions that represent the value of the eval destination field

The eval statement can include arithmetic, concatenation, and Boolean operators as well as a number of Splunk functions (such as ifnull, tostring, and upper, to name a few).

A simple example

Let's see a simple eval example:

sourcetype=TM1* error | EVAL event_date =  date_month  + "/" + date_mday + "/" + date_year | where event_date = "october/24/2007"

The preceding Splunk search uses the eval statement to create a new field named event_date by concatenating the date_month, date_mday, and date_year fields and then uses this field in the search to locate only the events that occurred on a particular date. Consider the following:

sourcetype=TM1* error   | eval status = if(date_wday == "sunday", "Error", "OK")| search status=Error

The preceding Splunk search uses the eval statement to update the field status using some logic. In this case, if errors are found in the TM1 server logs that occurred on a Sunday, then they are truly errors and Splunk should return those events for review, otherwise (if the error occurred on any other day), the events are ignored (not returned).