Re: Search inside Eval if statement possible ?

crt89 · ‎01-17-2013

Is it possible to put search inside an eval if statement ? I am making a search that if the count of the field is greater than 1 it would display "Please check your query" then if its equal to 1 it will proceed to my search..

 eval test=if(count>1,"Please check query",count==1,*search command goes here*

Is the eval if statement the thing to use ?

vganjare · ‎04-09-2015

Hi,

You can try using join.

The query can have following logic:

eval test=if(count>1,"Please check query","JOIN_SEARCH") | join test [your custom search | eval test="JOIN_SEARCH"]

Please note, the additional variable "test" in subsearch is required to join the record with first search. So, for all the events where the condition ( count > 1 ) fails, test variable in first search will get value of "JOIN_SEARCH".

Thanks!!

markthompson · ‎02-23-2015

The first point, is that the if statement only takes 3 arguments, if(condition, iftrue, iffalse).

jkat54 · ‎01-17-2013

Can you please give more details? It would help to know the rest of your search string and what search command you want to append to it, etc.

Search inside Eval if statement possible ?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases