I'm trying to create a conditional which will search using one of two search terms based on an IF statement.
A simplified example of what I'm trying to do looks like this:
IF "(condition)",then, "Search1", else, "Search2"
For context, I'm trying to check to see if an IP matches a CIDR range (private address). If there's a match, execute Search1. If not, execute Search2.
I'm new to SPL, coming from a scripting background, so I'm not sure if this method is even possible in Splunk.
Thank you!
Edit: Here is more information
The IF statement (checking if token $ip$ is an internal address:
if((cidrmatch("10.0.0.0/8",$ip$) OR cidrmatch("172.0.0.0/8",$ip$)), Search1, else Search2)
Search1 (filtering out other internal addresses, if token $ip$ is an internal address):
sourcetype=example src=$ip$ | where dest!="10.0.0.0/8" | where dest!="172.0.0.0/8"
Search 2 (not filtering internal addresses, if token $ip$ is an external address):
sourcetype=example src=$ip$
I've excluded the sorting commands etc that will be appended, since I do not believe they would affect the logic here.
Give this a try
sourcetype=example src=$ip$ | where NOT ((cidrmatch("10.0.0.0/8",$ip$) OR cidrmatch("172.0.0.0/8",$ip$) AND (dest="10.0.0.0/8" OR dest!="172.0.0.0/8")) | ...rest of the search...
OR
sourcetype=example src=$ip$ | where NOT [| gentimes start=-1 | eval dest=if((cidrmatch("10.0.0.0/8","$ip$") OR cidrmatch("172.0.0.0/8","$ip$")),"10.0.0.0/8#172.0.0.0/8","*") | table dest | makemv dest delim="#" | mvexpand dest ] | ..rest of the search
Give this a try
sourcetype=example src=$ip$ | where NOT ((cidrmatch("10.0.0.0/8",$ip$) OR cidrmatch("172.0.0.0/8",$ip$) AND (dest="10.0.0.0/8" OR dest!="172.0.0.0/8")) | ...rest of the search...
OR
sourcetype=example src=$ip$ | where NOT [| gentimes start=-1 | eval dest=if((cidrmatch("10.0.0.0/8","$ip$") OR cidrmatch("172.0.0.0/8","$ip$")),"10.0.0.0/8#172.0.0.0/8","*") | table dest | makemv dest delim="#" | mvexpand dest ] | ..rest of the search
Your second solution works! Thank you. However, I don't know how it works. Could you break down these steps for me?
The where subsearch is basically drawing down the dest field filter and returning to main search.
a) If (cidrmatch("10.0.0.0/8","$ip$") OR cidrmatch("172.0.0.0/8","$ip$"))
is true, the subsearch is setting the value of dest as 10.0.0.0/8#172.0.0.0/8
, splitting them out and final output will be (including where clause) | where NOT (dest="10.0.0.0/8" OR dest="172.0.0.0/8")
.
b) if (cidrmatch("10.0.0.0/8","$ip$") OR cidrmatch("172.0.0.0/8","$ip$"))
is false, the subsearch is setting the value of dest as *
and final output will be (including where clause) | where NOT (dest="*")
. If I think again, you can use any junk character/string instead of *. The purpose here should be ensure that filter does't match against any records and does no filter.
We can help better if you could post both your searches.