- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to write a search where if a specific value fo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search which has a field (say FIELD1). I would like to search the presence of a FIELD1 value in subsearch. If that FIELD1 value is present in subsearch results, then do work-1 (remaining search will change in direction-1), otherwise do work-2 (remaining search will change in direction-2).
pseudo search query:
index="sample_index" sourcetype="sample_sourcetype"| fields FIELD1 | search FIELD1 in [my sub search here| fields FIELD1] | if FIELD1 is present in subsearch, then do work-1, If not do work-2.
I looked at https://answers.splunk.com/answers/31842/why-cant-i-use-subsearch-in-the-case-function-in-the-eval-c...
But, this is talking about comparing single value with single value from subsearch. What I am looking is finding FIELD1 value in multiple results of subsearch.
Any suggestions to proceed further?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I think you can do it like this:
1- you write a search1 that track FIELD1 (you can use a regex for that ) and put the result in a variable let's say VAR
2- you pipe search1 and use eval command with if() .
3- in the funtion if( ) , at the place of conditionals results you put subsearches.
4- all the previous steps will look like this:
index=.... sourcetype=... search1 |eval result=if( VAR="FIELD1" ,[subsearch1|return $result1 ] , [subsearch2l return $result2] ) | table result
5-note that if you have many conditions you can imbricate if() like this:
if( condition, if(....), [ ] )
6- this is a small example using splunk internal event:
index=* | eval result=if( host != "myPc" , [search index=* |stats dc(host) as cc|return $cc] , [ search index=_* |stats c(source) as cs |return $cs] ) | table result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this question is old, but you could do it using the command map (no, it doesn't have to do with geografic maps)..
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Map
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I think you can do it like this:
1- you write a search1 that track FIELD1 (you can use a regex for that ) and put the result in a variable let's say VAR
2- you pipe search1 and use eval command with if() .
3- in the funtion if( ) , at the place of conditionals results you put subsearches.
4- all the previous steps will look like this:
index=.... sourcetype=... search1 |eval result=if( VAR="FIELD1" ,[subsearch1|return $result1 ] , [subsearch2l return $result2] ) | table result
5-note that if you have many conditions you can imbricate if() like this:
if( condition, if(....), [ ] )
6- this is a small example using splunk internal event:
index=* | eval result=if( host != "myPc" , [search index=* |stats dc(host) as cc|return $cc] , [ search index=_* |stats c(source) as cs |return $cs] ) | table result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have run a quick try as your approach but it got only one field return and I need to remove all non streaming command. Do you have another approach to advice?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
|multisearch
[search <your base search1> here you track FIELD1 and put the result in VAR1]
[search <your base search> here you track FIELD1 and put the result in VAR2 ]
| eval result=if(VAR1==VAR2, [SEARCH3|return $result1] ,[SEARCH3|return $result2])
take a look on return command in Search Reference manual.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This seems to be the approach.
My Query had issues, because of other searches (SEARCH3 and SEARCH4).
Thanks for your time Stephane_cyrille
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your response @stephane_cyrille, What I was looking is slightly different.
Once I got FIELD1 from search1, I need to search for that value in a subsearch.
If FIELD1 is found in subsearch then proceed with SUBSEARCH1, if not SUBSEARCH2.
So, instead of simply comparing apple to apple (host!="mypc"), Is there a way I can search for FIELD1 value in subsearch?
Explaining In another detailed way, I have 4 searches (SEARCH1 ,SEARCH2 ,SEARCH3 ,SEARCH4).
1. I will get FIELD1 from SEARCH1.
2. Search FIELD1 values in SEARCH2, If found do SEARCH3, If not SEARCH4
Thanks for your time and interest on this. Truly appreciated.
Early response will be much more helpful for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, can someone please provide a query for this? I am also looking for something similar. I want a search to retrieve value(VAR1) of FEILD1 and then write search2 with that value(VAR1).
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
