Solved: How to add a conditional where based on the field ...

jieli · ‎04-24-2020

I use the command above to filter the result by looking into the json field cityCode, and verify if the value equals to my dropdown value selection, by default all cityCode would be included (%).
The issue is when the message does not have the cityCode field, the default select All cityCode will not work since the like (pcc,"%") would fail.

Currently, the conditional selection is inside the where clause, Is there a way to do conditional selection outside the where clause, meaning if I did not select cityCode, the where clause should be ignored completely.

manjunathmeti · ‎04-24-2020

hi @jieli,

Try this. Here pcc will be set to "" values when cityCode not exists in the events and like matches "" values.

mvexpand metrics | spath input=metrics | eval pcc = if(isnotnull(cityCode), cityCode, "") | where if($selected_pcc|s$="all",like(pcc,"%"),like(pcc,$selected_pcc|s$)) | stats count as Total

View solution in original post

manjunathmeti · ‎04-24-2020

hi @jieli,

Try this. Here pcc will be set to "" values when cityCode not exists in the events and like matches "" values.

mvexpand metrics | spath input=metrics | eval pcc = if(isnotnull(cityCode), cityCode, "") | where if($selected_pcc|s$="all",like(pcc,"%"),like(pcc,$selected_pcc|s$)) | stats count as Total

How to add a conditional where based on the field existence?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases