Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you use if statements in the search query itself?

asherman
Path Finder
‎11-03-2014 08:31 AM

Hi,

I am trying to execute a search based on dropdown menu selection. If user specifies certain options, indexes or other fields change. E.g.,

index=if($index$=official,index_official,index_standard) build=if($index$=official,*,$build$) | ...

However, this does not produce a search, whereas if I search for either

index=index_official build=*
or
index=index_standard build=$build$
the query returns results.

Is it possible to use the if statement at this point in the search query? I prefer not to do a larger query and then filter later with eval commands.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-03-2014 11:05 AM

Try this

index=[| gentimes start=-1 | eval search=if("$index$"="official","index_official","index_standard") | table search]
build=[| gentimes start=-1 | eval search=if("$index$"="official","*","$build$") | table search] 
|...rest of your search

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-03-2014 11:05 AM

Try this

index=[| gentimes start=-1 | eval search=if("$index$"="official","index_official","index_standard") | table search]
build=[| gentimes start=-1 | eval search=if("$index$"="official","*","$build$") | table search] 
|...rest of your search
Reply
Solved! Jump to solution

asherman
Path Finder
‎11-03-2014 11:36 AM

This seems to do the trick - thanks.

One question: What exactly is gentimes doing here? Why doesn't the query work without it?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-03-2014 11:40 AM

The gentimes is just used to create a row, so that a field search can be created. You can use "|gentimes start=-1" OR "| stats count" to create a row.

Reply
Solved! Jump to solution

sk314
Builder
‎11-03-2014 10:27 AM

isn't the 'if statement' unnecessary if you are already using the drop down selection? Assuming your drop down selection is working, why won't this work for you?

index=$index$ build=$build$ | ...
0 Karma
Reply
Solved! Jump to solution

asherman
Path Finder
‎11-03-2014 10:46 AM

I have a dropdown selection driving multiple different values. For example, if official I may consider only build=100, settings=high, etc., but if I'm using nonofficial, then build=$specified_build$, settings=$specified_settings$, etc.

Another application is that I have a dropdown menu that chooses which of an array of fields will be set to *, so those fields would look like

build=if($swap_type$=build,,$build$) corner=if($swap_type$=corner,,$corner$) bin=if($swap_type$=bin,*,$bin$) | ...
here, we have specifications for each of the fields: build, corner, bin, however one of them we can select to chart against, so in that case we don't filter it (I'm displaying X over time, with the other two as filters).

I can't think of a way of doing this without if statements.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...