Solved: How to edit my search inside an IF Condition?

karthikmalla · ‎12-06-2016

Hello, I am having trouble writing a search string within a IF condition.

My example Search String is: index=* sourcetype=WinEventLog:Security EventCode=4648

I tried it in the below manner

| stats count as mytext 
| eval mytext = if(("$accounttype$" = "suspected"), "All Good", "JOIN_SEARCH")
| join mytext [index=* sourcetype=WinEventLog:Security EventCode=4648
| eval mytext="JOIN_SEARCH"]

In the above search string $accounttype$ is a drop-down token into the dashboard.

I am getting an error Unknown search command index=*

acharlieh · ‎12-06-2016

The problem you are running into, is that unlike the main search, when using subsearches (as is the case here with join), it is not assumed that the first command will be search. There are very common use cases for subsearches where this does not hold true.

So being explicit like so would solve your immediate syntax error:

| stats count as mytext 
| eval mytext = if(("$accounttype$" = "suspected"), "All Good", "JOIN_SEARCH")
| join mytext [search index=* sourcetype=WinEventLog:Security EventCode=4648 | eval mytext="JOIN_SEARCH"]

That said... it seems you are attempting to optionally run a search in a dashboard in response to an input. Could I suggest getting rid of the join and instead just using the simple search as your search, and using tokens to control the display of the panel. (This docs page has a ton of ideas around manipulating tokens).

Alternatively, if you really feel the need to control running within the search, you could eliminate the join by flipping the condition like so:

index=* sourcetype=WinEventLog:Security EventCode=4648 | where "$accounttype$" != "suspected"

you could even tack on the All good message using appendpipe if you wanted:

... | appendpipe [stats count | eval message="All Good" | where count=0 | fields - count]

But I really feel like in a dashboard, token manipulation outside of the searches is your best bet.

View solution in original post

acharlieh · ‎12-06-2016

The problem you are running into, is that unlike the main search, when using subsearches (as is the case here with join), it is not assumed that the first command will be search. There are very common use cases for subsearches where this does not hold true.

So being explicit like so would solve your immediate syntax error:

| stats count as mytext 
| eval mytext = if(("$accounttype$" = "suspected"), "All Good", "JOIN_SEARCH")
| join mytext [search index=* sourcetype=WinEventLog:Security EventCode=4648 | eval mytext="JOIN_SEARCH"]

That said... it seems you are attempting to optionally run a search in a dashboard in response to an input. Could I suggest getting rid of the join and instead just using the simple search as your search, and using tokens to control the display of the panel. (This docs page has a ton of ideas around manipulating tokens).

Alternatively, if you really feel the need to control running within the search, you could eliminate the join by flipping the condition like so:

index=* sourcetype=WinEventLog:Security EventCode=4648 | where "$accounttype$" != "suspected"

you could even tack on the All good message using appendpipe if you wanted:

... | appendpipe [stats count | eval message="All Good" | where count=0 | fields - count]

But I really feel like in a dashboard, token manipulation outside of the searches is your best bet.

How to edit my search inside an IF Condition?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!