Hello,
I have quite long SPL search in my alert and one part of it looks as follows:
| eval rcatrigger = ""
| appendcols
[
| noop search_optimization=false
| dbxquery query="myQueryText"
connection="HANA_MLBSO"
|eval rcatrigger=$rcatrigger$| fields - rcatrigger
]
Now, the result is a table, which columns should be appended to another table from the processing happening earlier. My questions would be:
- how do I make it conditional in a way, that the dbxquery should be executed / columns appended only when the rcatrigger variable is not empty, say="1" ? Please see my try above, not workig ...
- the result columns are appended in the lexicographical order to the previous columns, I mean at the end they are mixed by the alphabet order. Is there any way to get the appended cols just on the right side? Unfortunately I cannot sort it later on with table command because the above dbxquery is not always the same - there will be several depending on the rcatrigger, so I do not know what columns will there be returned.
Kind Regards,
Kamil
I don't think you can pass variables from parent query to subquery (appendcols) as subquery executes first.
You can try 'map' command for your use case.
Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Map
Thank you.
I am not fixed on passing parameter from parent to subquery, what I want to achieve is conditional execution of the appendcols when the rcatrigger=1.
How would I do this?
Kind Regards,
Kamil