https://community.splunk.com/t5/Knowledge-Management/Conditional-SPL/m-p/397045#M3420 <P>How do you build a query that takes two different SPL paths based on a condition within the data? Example: Write the results of a query to a summary index only if the search name does not begin with "TEST"?</P> Mon, 25 Feb 2019 14:53:00 GMT japger_splunk 2019-02-25T14:53:00Z https://community.splunk.com/t5/Knowledge-Management/Conditional-SPL/m-p/397045#M3420 <P>How do you build a query that takes two different SPL paths based on a condition within the data? Example: Write the results of a query to a summary index only if the search name does not begin with "TEST"?</P> Mon, 25 Feb 2019 14:53:00 GMT https://community.splunk.com/t5/Knowledge-Management/Conditional-SPL/m-p/397045#M3420 japger_splunk 2019-02-25T14:53:00Z https://community.splunk.com/t5/Knowledge-Management/Conditional-SPL/m-p/397046#M3421 <P>Use multireport to steer your search down the desired path.</P> <P>| makeresults 1<BR /> |eval search_name="TEST-RiskRule - DDNS Activity Detected - System"<BR /> |multireport [|search NOT search_name="TEST*"|collect index=myindex] [|search search_name="TEST*"|collect index=myindex testmode=true]</P> Tue, 29 Sep 2020 23:20:58 GMT https://community.splunk.com/t5/Knowledge-Management/Conditional-SPL/m-p/397046#M3421 japger_splunk 2020-09-29T23:20:58Z https://community.splunk.com/t5/Knowledge-Management/Conditional-SPL/m-p/397047#M3422 <P>if you have a summary generating search with search_name!=TEST* will that not work for you?</P> Mon, 25 Feb 2019 14:54:54 GMT https://community.splunk.com/t5/Knowledge-Management/Conditional-SPL/m-p/397047#M3422 lakshman239 2019-02-25T14:54:54Z https://community.splunk.com/t5/Knowledge-Management/Conditional-SPL/m-p/397048#M3423 <P>Good point. I believe your example is a one-way condition but please correct me if I misunderstand. "Only do this if this condition is met" versus "Do this if it's met or do this if it's not met". </P> Mon, 25 Feb 2019 14:59:27 GMT https://community.splunk.com/t5/Knowledge-Management/Conditional-SPL/m-p/397048#M3423 japger_splunk 2019-02-25T14:59:27Z https://community.splunk.com/t5/Knowledge-Management/Conditional-SPL/m-p/397049#M3424 <P>I normally prefer to write "only do this if this condition is met", so I know the condition/scenario of the search and helps in troubleshooting.</P> Mon, 25 Feb 2019 15:17:15 GMT https://community.splunk.com/t5/Knowledge-Management/Conditional-SPL/m-p/397049#M3424 lakshman239 2019-02-25T15:17:15Z