- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search inside an IF Condition?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I am having trouble writing a search string within a IF condition.
My example Search String is: index=* sourcetype=WinEventLog:Security EventCode=4648
I tried it in the below manner
| stats count as mytext
| eval mytext = if(("$accounttype$" = "suspected"), "All Good", "JOIN_SEARCH")
| join mytext [index=* sourcetype=WinEventLog:Security EventCode=4648
| eval mytext="JOIN_SEARCH"]
In the above search string $accounttype$ is a drop-down token into the dashboard.
I am getting an error Unknown search command index=*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem you are running into, is that unlike the main search, when using subsearches (as is the case here with join), it is not assumed that the first command will be search. There are very common use cases for subsearches where this does not hold true.
So being explicit like so would solve your immediate syntax error:
| stats count as mytext
| eval mytext = if(("$accounttype$" = "suspected"), "All Good", "JOIN_SEARCH")
| join mytext [search index=* sourcetype=WinEventLog:Security EventCode=4648 | eval mytext="JOIN_SEARCH"]
That said... it seems you are attempting to optionally run a search in a dashboard in response to an input. Could I suggest getting rid of the join and instead just using the simple search as your search, and using tokens to control the display of the panel. (This docs page has a ton of ideas around manipulating tokens).
Alternatively, if you really feel the need to control running within the search, you could eliminate the join by flipping the condition like so:
index=* sourcetype=WinEventLog:Security EventCode=4648 | where "$accounttype$" != "suspected"
you could even tack on the All good message using appendpipe if you wanted:
... | appendpipe [stats count | eval message="All Good" | where count=0 | fields - count]
But I really feel like in a dashboard, token manipulation outside of the searches is your best bet.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem you are running into, is that unlike the main search, when using subsearches (as is the case here with join), it is not assumed that the first command will be search. There are very common use cases for subsearches where this does not hold true.
So being explicit like so would solve your immediate syntax error:
| stats count as mytext
| eval mytext = if(("$accounttype$" = "suspected"), "All Good", "JOIN_SEARCH")
| join mytext [search index=* sourcetype=WinEventLog:Security EventCode=4648 | eval mytext="JOIN_SEARCH"]
That said... it seems you are attempting to optionally run a search in a dashboard in response to an input. Could I suggest getting rid of the join and instead just using the simple search as your search, and using tokens to control the display of the panel. (This docs page has a ton of ideas around manipulating tokens).
Alternatively, if you really feel the need to control running within the search, you could eliminate the join by flipping the condition like so:
index=* sourcetype=WinEventLog:Security EventCode=4648 | where "$accounttype$" != "suspected"
you could even tack on the All good message using appendpipe if you wanted:
... | appendpipe [stats count | eval message="All Good" | where count=0 | fields - count]
But I really feel like in a dashboard, token manipulation outside of the searches is your best bet.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
