- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- If/Then To different Eval Statements
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to have a Splunk Alert kick off an email (to an email script) and depending on the search query it should email Address1 or Address2. How do you I create this type of variable? Should I setup a where statement like | where search=Apples | eval email="address1" |where search=Oranges | eval email="address2" ????
Example:
[search yields Apples] | eval email="address1"
[search yields Oranges] | eval email="address2"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can club if and eval as below.
eval email=if(mycondition,"address1","address2")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
| eval email=if(like(BPS,"%Gbps"),"address1","address2")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank You !!!! 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can club if and eval as below.
eval email=if(mycondition,"address1","address2")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you add a wildcard into mycondition?
I see where if(X,Y,Z) says: This function takes three arguments. The first argument X is a Boolean expression. If X evaluates to TRUE, the result is the second argument Y. Optionally, if X evaluates to FALSE, the result evaluates to the third argument Z.
My problem now is that (X) is something like 123.45 Gbps or 45.67 Mbps. My goal is to have Gbps send email to address1 and everything go to address2.
Example:
| eval email=if(BPS="Gbps","address1","address2")
The problem appears to be that if I say Gbps or even *Gbps in the X field, neither seem to work. It's only when I specify the exact value like 123.45 Gbps does it actually work. So what I need is a wildcard, but that isn't working. Any suggestions???
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you should be able to do it.. You can also try to extract just Gbps and Mbps into a field before the condition and try the comparison on that field.
Detecting Remote Code Executions With the Splunk Threat Research Team
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
.conf24 | Session Scheduler is Live!!
