- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- change search based on the event's field's value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
change search based on the event's field's value
Hi,
I have a very big data set, and I want to return different fields from it, based on a value of another field (2 values possible).
if that field's (fieldA) value is 'aaa' I want to take the search to one place, and if the value is 'bbb' to another place, but at the end I want to go through the data only once.
now, I have a search for each of the options, which I concatenate them at their end:
index=main fieldA='aaa'
| set of commands
and
index=main fieldA='bbb'
| different set of commands
by that I am running on the same data twice. I want to run over the data once with something like:
index=main
| if(fieldA='aaa', set of commands, different set of commands)
I want to take care of the event differently for the two values possible of fieldA.
Is there an option to do that, or I will have to run over the data set twice?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You can try something like:
index=main
| if(fieldA='aaa', [set of commands], [different set of commands])
Refer this links:
https://answers.splunk.com/answers/229204/how-to-write-a-search-where-if-a-specific-value-fo.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have given a look at that question, but it is still going through the results twice.
index=*
| eval result=if( host != "myPc" ,
[ search index=_
| stats dc(host) as cc
| return $cc] ,
[ search index=_
| stats c(source) as cs
| return $cs] )
| table result
'search index=_' is there twice
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you perhaps describe the overall problem statement and give some more details? It's quite likely that the community can give more complete support if we have a better understanding of your goals and a better sense of how you're trying to approach them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
edited the question, I think that now it has a deeper explanation of the problem
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
