Alexsandro Souza
Reputation: 995
How to use Splunk functions in the query
Anyone here knows how can I use built-in functions(case) in a Splunk Query? All examples I found were to handle the query results (I can not put it after eval or | )
I need something like.
index=case(indexVar == "qa", "qa-all", indexVar == "prod", "prod-all") sourcetype="kube:container:rail-service"
OBS I can not just concat the indexVar + "-all"
Upvotes: 0
Views: 788
Answers (1)
RichG
Reputation: 9916
The case function may be built-in, but that doesn't mean you can use it anywhere. It's only valid with the eval, fieldformat, and where commands.
A workaround would be to put the eval in a subsearch.
sourcetype="kube:container:rail-service" [
| makeresults
| eval index=case(indexVar == "qa", "qa-all", indexVar == "prod", "prod-all")
| fields index ]
Upvotes: 3
Related Questions
- Extract data from splunk
- Splunk query with conditions of an object
- Splunk search query syntax?
- How to do compound query with where clause in Splunk?
- Adding custom fields to splunk query
- In splunk How to apply Multiple filter on splunk
- Splunk query based on the results of another query
- How to append two queries in splunk?
- How to combine two queries in Splunk?
- Splunk query to filter results