Splunk Search

change search based on the event's field's value

matansocher
Contributor

Hi,

I have a very big data set, and I want to return different fields from it, based on a value of another field (2 values possible).
if that field's (fieldA) value is 'aaa' I want to take the search to one place, and if the value is 'bbb' to another place, but at the end I want to go through the data only once.

now, I have a search for each of the options, which I concatenate them at their end:
index=main fieldA='aaa'
| set of commands
and
index=main fieldA='bbb'
| different set of commands

by that I am running on the same data twice. I want to run over the data once with something like:

index=main
| if(fieldA='aaa', set of commands, different set of commands)

I want to take care of the event differently for the two values possible of fieldA.

Is there an option to do that, or I will have to run over the data set twice?

p_gurav
Champion

Hi,

You can try something like:

index=main
| if(fieldA='aaa', [set of commands], [different set of commands])

Refer this links:
https://answers.splunk.com/answers/229204/how-to-write-a-search-where-if-a-specific-value-fo.html

0 Karma

matansocher
Contributor

I have given a look at that question, but it is still going through the results twice.

index=* 
| eval result=if( host != "myPc" , 
    [ search index=_
    | stats dc(host) as cc 
    | return $cc] , 
    [ search index=_ 
    | stats c(source) as cs 
    | return $cs] ) 
| table result

'search index=_' is there twice

0 Karma

elliotproebstel
Champion

Could you perhaps describe the overall problem statement and give some more details? It's quite likely that the community can give more complete support if we have a better understanding of your goals and a better sense of how you're trying to approach them.

0 Karma

matansocher
Contributor

edited the question, I think that now it has a deeper explanation of the problem

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...