Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Conditional SPL

japger_splunk
Splunk Employee
Splunk Employee
‎02-25-2019 06:53 AM

How do you build a query that takes two different SPL paths based on a condition within the data? Example: Write the results of a query to a summary index only if the search name does not begin with "TEST"?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

japger_splunk
Splunk Employee
Splunk Employee
‎02-25-2019 06:54 AM

Use multireport to steer your search down the desired path.

| makeresults 1
|eval search_name="TEST-RiskRule - DDNS Activity Detected - System"
|multireport [|search NOT search_name="TEST*"|collect index=myindex] [|search search_name="TEST*"|collect index=myindex testmode=true]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

lakshman239
Influencer
‎02-25-2019 06:54 AM

if you have a summary generating search with search_name!=TEST* will that not work for you?

0 Karma
Reply
Solved! Jump to solution

japger_splunk
Splunk Employee
Splunk Employee
‎02-25-2019 06:59 AM

Good point. I believe your example is a one-way condition but please correct me if I misunderstand. "Only do this if this condition is met" versus "Do this if it's met or do this if it's not met".

0 Karma
Reply
Solved! Jump to solution

lakshman239
Influencer
‎02-25-2019 07:17 AM

I normally prefer to write "only do this if this condition is met", so I know the condition/scenario of the search and helps in troubleshooting.

0 Karma
Reply
Solved! Jump to solution
Solution

japger_splunk
Splunk Employee
Splunk Employee
‎02-25-2019 06:54 AM

Use multireport to steer your search down the desired path.

| makeresults 1
|eval search_name="TEST-RiskRule - DDNS Activity Detected - System"
|multireport [|search NOT search_name="TEST*"|collect index=myindex] [|search search_name="TEST*"|collect index=myindex testmode=true]

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...