-------| eval test=if(condition,"INFO","Error") | search test
if condition is true the search must be behave as
--------| search "INFO"
else
--------| search "Error"
please help me with this
Like this (with a subsearch):
... | search [|noop | stats count AS search | eval search=if(condition, "INFO, "Error") | return $search]
@sravankaripe... You would actually need to provide details around what is your conditions and what is the event when the condition will be triggered.
Please see a example below where I am running a dummy search to set my token. Then I am using the token in the actual search as search query filter. There are multiple possibilities and solutions.
<search>
<query>| makeresults
| eval log_level="INFO"
| table testData</query>
<preview>
<eval token="queryString">if(log_level=="INFO","INFO","ERROR")</eval>
</preview>
</search>
<row>
<panel>
<table>
<search>
<query>index=_internal sourcetype="splunkd" log_level="$queryString$"</query>
<earliest>-15m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
use tokens
-------| eval test=if(condition,"INFO","Error") | search $test$