Splunk Search

How to write a search where if a specific value for FIELD1 is present in subsearch results, run Search1, but if not, run Search2?

kasu_praveen
Communicator

I have a search which has a field (say FIELD1). I would like to search the presence of a FIELD1 value in subsearch. If that FIELD1 value is present in subsearch results, then do work-1 (remaining search will change in direction-1), otherwise do work-2 (remaining search will change in direction-2).

pseudo search query:

index="sample_index" sourcetype="sample_sourcetype"| fields FIELD1 | search FIELD1 in [my sub search here| fields FIELD1] | if FIELD1 is present in subsearch, then do work-1, If not do work-2.

I looked at https://answers.splunk.com/answers/31842/why-cant-i-use-subsearch-in-the-case-function-in-the-eval-c...
But, this is talking about comparing single value with single value from subsearch. What I am looking is finding FIELD1 value in multiple results of subsearch.

Any suggestions to proceed further?

1 Solution

stephane_cyrill
Builder

Hi, I think you can do it like this:
1- you write a search1 that track FIELD1 (you can use a regex for that ) and put the result in a variable let's say VAR

2- you pipe search1 and use eval command with if() .

3- in the funtion if( ) , at the place of conditionals results you put subsearches.

4- all the previous steps will look like this:

index=.... sourcetype=... search1 |eval result=if( VAR="FIELD1" ,[subsearch1|return $result1 ] , [subsearch2l return $result2] ) | table result

5-note that if you have many conditions you can imbricate if() like this:

if( condition, if(....), [ ] )

6- this is a small example using splunk internal event:

index=* | eval result=if( host != "myPc" , [search index=* |stats dc(host) as cc|return $cc] , [ search index=_* |stats c(source) as cs |return $cs] ) | table result

View solution in original post

pamcarvalho
Path Finder

I know this question is old, but you could do it using the command map (no, it doesn't have to do with geografic maps)..
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Map

0 Karma

stephane_cyrill
Builder

Hi, I think you can do it like this:
1- you write a search1 that track FIELD1 (you can use a regex for that ) and put the result in a variable let's say VAR

2- you pipe search1 and use eval command with if() .

3- in the funtion if( ) , at the place of conditionals results you put subsearches.

4- all the previous steps will look like this:

index=.... sourcetype=... search1 |eval result=if( VAR="FIELD1" ,[subsearch1|return $result1 ] , [subsearch2l return $result2] ) | table result

5-note that if you have many conditions you can imbricate if() like this:

if( condition, if(....), [ ] )

6- this is a small example using splunk internal event:

index=* | eval result=if( host != "myPc" , [search index=* |stats dc(host) as cc|return $cc] , [ search index=_* |stats c(source) as cs |return $cs] ) | table result

thuhuongle
Explorer

Hi @stephane_cyrill 

I have run a quick try as your approach but it got only one field return and I need to remove all non streaming command. Do you have another approach to advice?

0 Karma

stephane_cyrill
Builder
|multisearch 
 [search <your base search1> here you track FIELD1 and put the result in VAR1] 
 [search <your base search> here you track FIELD1 and put the result in VAR2 ] 
 | eval result=if(VAR1==VAR2, [SEARCH3|return $result1]  ,[SEARCH3|return $result2])

take a look on return command in Search Reference manual.

kasu_praveen
Communicator

This seems to be the approach.
My Query had issues, because of other searches (SEARCH3 and SEARCH4).

Thanks for your time Stephane_cyrille

0 Karma

kasu_praveen
Communicator

Thanks for your response @stephane_cyrille, What I was looking is slightly different.

Once I got FIELD1 from search1, I need to search for that value in a subsearch.
If FIELD1 is found in subsearch then proceed with SUBSEARCH1, if not SUBSEARCH2.

So, instead of simply comparing apple to apple (host!="mypc"), Is there a way I can search for FIELD1 value in subsearch?

Explaining In another detailed way, I have 4 searches (SEARCH1 ,SEARCH2 ,SEARCH3 ,SEARCH4).
1. I will get FIELD1 from SEARCH1.
2. Search FIELD1 values in SEARCH2, If found do SEARCH3, If not SEARCH4

Thanks for your time and interest on this. Truly appreciated.
Early response will be much more helpful for me.

0 Karma

sayleekamthe
Observer

Hi, can someone please provide a query for this? I am also looking for something similar. I want a search to retrieve value(VAR1) of FEILD1 and then write search2 with that value(VAR1). 

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...