How to add a conditional where based on the field existence?

jieli — Fri, 24 Apr 2020 15:22:40 GMT

I use the command above to filter the result by looking into the json field cityCode, and verify if the value equals to my dropdown value selection, by default all cityCode would be included (%).
The issue is when the message does not have the cityCode field, the default select All cityCode will not work since the like (pcc,"%") would fail.

Currently, the conditional selection is inside the where clause, Is there a way to do conditional selection outside the where clause, meaning if I did not select cityCode, the where clause should be ignored completely.

Re: How to add a conditional where based on the field existence?

manjunathmeti — Fri, 24 Apr 2020 16:29:41 GMT

hi @jieli,

Try this. Here pcc will be set to "" values when cityCode not exists in the events and like matches "" values.

mvexpand metrics | spath input=metrics | eval pcc = if(isnotnull(cityCode), cityCode, "") | where if($selected_pcc|s$="all",like(pcc,"%"),like(pcc,$selected_pcc|s$)) | stats count as Total

topic Re: How to add a conditional where based on the field existence? in Splunk Search

How to add a conditional where based on the field existence?

Re: How to add a conditional where based on the field existence?