Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to dynamically change index value based on different time span selected?

Wendy
Explorer
‎07-30-2023 05:05 PM

Hi there, need a bit of help here. 

Context: 

Our organisation recently changed the `index` thus we need to update all queries to search against the new index after an exact date. 

Our current solution is to create a duplicated dashboard, and use the new index in all queries. 

I was wondering if there are better ways to dynamically update the value of `index` based on different time span. 

 

Task:

Is there a way to dynamically update index value based on a time span selected? Like we'd like to use value of 'some_index_1' before 20th July 2023; and use value of 'some_index_2' after 20th July 2023. 

Current query template:

index=some_index_1 cf_org_name=my_org_name cf_app_name=some_appName_1 message_type=OUT | search "Submit succesfull" | stats count

 

Thanks in advance.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

cklunck
Path Finder
‎07-30-2023 06:23 PM

If all the data you're interested in was going to some_index_1 before 20th July, and after that date the data was going to some_index_2, would it work if the queries search both indexes? For example:

(index=some_index_1 OR index=some_index_2) <other stuff>

 

Then the searches could span across the 20th July boundary and retrieve results from both old and new indexes.

Reply

Wendy
Explorer
‎07-30-2023 07:01 PM

Hi @cklunck , thanks for your prompt reply. 

Yeah, the solution you suggested worked. 

Was wondering can we make the result (aka `stats count`) more granular, like one row shows counts before 20th July 2023 & another row shows counts after. 

Should have mentioned this earlier, the `index` is not the only field changed, we also changed `cf_app_name` thus was wondering if those fields can be populated dynamically so it's easier to see results in a more granular level. Thanks. 

 

Tags (1)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-30-2023 09:07 PM

You need to specify how cp_app_name is changed.  Assuming their values are already known, you can do the same, like

 

index IN (some_index_1, some_index_2) cp_app_name IN (app1, app2)

 

As to stats with before and after rows, you can do  something like

| eval cutover = if(_time < strptime("2023-07-20", "%F"), "before", "after")
| stats stats_fun(some_field) by cutover
Reply

Wendy
Explorer
‎07-30-2023 10:41 PM

Thanks @yuanliu , your suggestion worked for us. Thanks again.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-30-2023 10:55 PM

Hi @Wendy ,

even if the hinted solution worked, I'd like to make a question: why do you change your index?

usually index is choosed for two/three reasons: in an index must be stored events with:

  • the same retention,
  • the same user accesses;

in addition (useful but not mandatory) events with similar volumes.

In other words there's no utility having many indexes with the same grants or the same retention policy, changing with the time (e.g. one index every year or every month for the same data).

It isn't so manageable to have many indexes.

At least, you could use eventtypes instead index (https://docs.splunk.com/Documentation/Splunk/9.1.0/Knowledge/Abouteventtypes) so you can update your dashboards searches only updating the index list in one site.

In other words, you could create an eventtype (called e.g. indexes) containing yur main search:

index IN (some_index_1,some_index_2,,some_index_3)

and use it in your dashboards:

eventtype=indexes cf_org_name=my_org_name cf_app_name=some_appName_1 message_type=OUT "Submit succesfull" 
| stats count

A final hint: don't use the search command after the main search because your search will be slower than putting the additional search parameters in the main search.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...