help with appendcols needed

damucka · ‎07-29-2019

Hello,

I have quite long SPL search in my alert and one part of it looks as follows:

| eval rcatrigger = ""
| appendcols
[

| noop search_optimization=false
| dbxquery query="myQueryText"   
     connection="HANA_MLBSO"
     |eval rcatrigger=$rcatrigger$| fields - rcatrigger
]

Now, the result is a table, which columns should be appended to another table from the processing happening earlier. My questions would be:
- how do I make it conditional in a way, that the dbxquery should be executed / columns appended only when the rcatrigger variable is not empty, say="1" ? Please see my try above, not workig ...
- the result columns are appended in the lexicographical order to the previous columns, I mean at the end they are mixed by the alphabet order. Is there any way to get the appended cols just on the right side? Unfortunately I cannot sort it later on with table command because the above dbxquery is not always the same - there will be several depending on the rcatrigger, so I do not know what columns will there be returned.

Kind Regards,
Kamil

jawaharas · ‎07-30-2019

I don't think you can pass variables from parent query to subquery (appendcols) as subquery executes first.

You can try 'map' command for your use case.

Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Map

damucka · ‎07-30-2019

Thank you.

I am not fixed on passing parameter from parent to subquery, what I want to achieve is conditional execution of the appendcols when the rcatrigger=1.
How would I do this?

Kind Regards,
Kamil

help with appendcols needed

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor