Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I perform If-Then-Else logic within a search?

johnny_goya
Explorer
‎12-26-2017 06:02 PM

Can I use if else for multiple search?

Like this:
index=* | eval result=if(field<=178000, [ search index=notable | regex status_label="Resolved" ] , [ search index=notable | regex status_label="Closed" ])

Tags (1)
0 Karma
Reply

johnny_goya
Explorer
‎12-27-2017 11:48 PM

I think I've found a way to reach my goal.
I will separate the querys and use summary index.
Thanks for the support guys. Thanks for the advice.

0 Karma
Reply

DalJeanis
Legend
‎12-27-2017 05:23 PM

Your search doesn't make sense as you have written it.

The flow of a splunk search starts at the top and flows down, affecting each event in the input set by one command at a time. You are apparently trying to bring in a "flow" of data at the spot of your if statement -- which does not work in splunk or any other language.

So, start over and rethink your requirements from the point of view of each individual event being processed. Describe to yourself, and then us, what needs to happen to each one.

Please remember also, though, that when you output a record with append=t to a lookup, that all the prior records are still there, so it is NOT the same as updating an existing record.

0 Karma
Reply

johnny_goya
Explorer
‎12-27-2017 06:35 PM

I'm trying to avoid using script

0 Karma
Reply

johnny_goya
Explorer
‎12-27-2017 11:47 PM

Thanks for the support. Thanks for the advice.

0 Karma
Reply

johnny_goya
Explorer
‎12-27-2017 05:38 PM

I've just posted the part of the query that I'm in doubt about.

Do you know some way to do my task? I tried to use this search, but it does not execute if statement correctly. It always executes the subsearch regardless of the result of the if statement.

I need to automate changing the status_label of a notable case if it has been in status_label resolved for more than 2 days.

0 Karma
Reply

nikita_p
Contributor
‎12-27-2017 01:28 AM

Hi johnny_goya,
Few questions i have. what are the fields in your lookup and which is the identical field in lookup and logs. Is "field" present in your logs?

0 Karma
Reply

johnny_goya
Explorer
‎12-27-2017 02:53 PM

I'm talking about the Enterprise Security lookup incident review. This lookup stores the entire workflow of the generated events.

The field was created by the time difference. [field = now () - last update of the event].

I want the notable goes to status_label Closed automatically after 2 days.

0 Karma
Reply

493669
Super Champion
‎12-26-2017 09:23 PM

so you want if (field<=178000) then update result="Resolved" else update incident_review_lookup lookup
is my understanding correct?

0 Karma
Reply

johnny_goya
Explorer
‎12-26-2017 09:39 PM

I want something like that.

I tried to use the following query.

| eval status_envio=if(tempo_status<=172800, "notificacao", [ search notable | search status_label=Resolved | eval owner="Automatic" | eval urgency="informational" | eval status=5 | eval comment="Finished" | rex mode=sed field=comment "s/,/\n/g" | eval user="Automatic" | eval time=now() | outputlookup append=true incident_review_lookup ] )

0 Karma
Reply

niketn
Legend
‎12-26-2017 08:33 PM

The query posted in question seems to be if else, which you can implement in the following way:

index=<YourIndexName> OR status_label="Resolved" OR status_label="Closed"
| eval status_value=if(field<=178000, "Resolved","Closed")
| where status_label= status_value

If you have multiple if else conditions, you would have to use case instead (PS: Just created three condition as an example adjust as per your need or use the one mentioned above with if else😞

index==<YourIndexName> status_label="Open" OR status_label="Resolved" OR status_label="Closed"
| eval status_value=case(field<=86400,"Open", field>86400 AND field<=178000, "Resolved",true(),"Closed")
| where status_label= status_value

Refer to Splunk Documentation for evaluation functions if and `case.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConditionalFunctions#if.28X.2CY.2...
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConditionalFunctions#case.28X.2C....

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

johnny_goya
Explorer
‎12-26-2017 08:55 PM

Hi niketnilay, thanks for the feedback.

What I want to do is create an if statement that checks a field and if the if statement is false it updates the incident_review_lookup lookup.

I do not know if my question was clearer.

0 Karma
Reply

niketn
Legend
‎12-27-2017 11:29 PM

@johnny_goya, you should have a separate search to identify records to be appended to lookup file. It will be difficult to suggest exact query without looking at your existing SPL. Also make sure you use code button (101010), while posting your SPL so that special characters do not escape.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...