| search index=*** AND some value=filter

cabauah · ‎10-05-2017

Hello Splunk Community,

Business requirements pushing my knowledge on Splunk so far... just wondering if Splunk query can be subdivided into methods/functions? The current scenario I'm trying to figure out is depending on a search result which can have multiple fields... the 3rd search/subsearch field would vary.

Pseudo Logic goes:
if precheck field outputs A
do
search A1 cond, B1 cond, C1 cond
else
if precheck field outputs B
do
search B1 cond, D1 cond, E1 cond

I'm already doing join to arrive at the precheck output

tried this
...| eval search1 = "Field1=Y AND Field 2="xxxx" AND Field 3="bbbbb""
| eval search2 = "Field4=N AND Field5="zzzz""
| eval filter=if (COND=1, search1, search2)
| search filter

but getting some error: "Error in eval command, Fields cannot be assigned a boolean result, Instead, try if(bool expr, expr, expr)"

Sukisen1981 · ‎10-05-2017

Hi - You need to do something like this...

...| eval search1 = Field1
| eval search2 = Field4
| eval filter=if (COND=1, search1, search2)

| search index=*** AND some value=filter

Without looking at your search it is impossible to say exactly what you are trying...but this is the way to do it...

View solution in original post

Sukisen1981 · ‎10-05-2017

Hi - You need to do something like this...

...| eval search1 = Field1
| eval search2 = Field4
| eval filter=if (COND=1, search1, search2)

| search index=*** AND some value=filter

Without looking at your search it is impossible to say exactly what you are trying...but this is the way to do it...

Dynamic Search based on previous search output and if condition

| search index=*** AND some value=filter

| search index=*** AND some value=filter

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!