topic How do you use IF / Else statement to pull different fields including JSON elements? in Splunk Search

How do you use IF / Else statement to pull different fields including JSON elements?

ShoeBuster — Tue, 16 Feb 2021 16:34:44 GMT

Hello Community,

2 part question: First, how to use an IF / ELSE statement, secondly, how to specify the JSON elements in the query. Any examples or helpful

How would I do a search query that depending on the log source, pulls different fields?

For example

index=myIndex

| IF (source=Source1 OR sourcetype=sourceTypeB) pull JSON element1, element2, etc

| ELSE IF logSource=logSource2 pull fieldsname1, fieldname2, etc

Re: How do you use IF / Else statement to pull different fields including JSON elements?

richgalloway — Tue, 16 Feb 2021 19:28:44 GMT

Splunk does not have an IF/ELSE statement. It does, however, have if and case functions that can be used in the eval and where commands.

index=myIndex | eval foo = if(source=Source1 OR sourcetype=sourceTypeB), JSON element1, if(logSource=logSource2), fieldsname1, NULL), NULL) | eval bar = case(source=Source1 OR sourcetype=sourceTypeB), JSON element2, logSource=logSource2, fieldname2, 1==1, NULL) | ...

Re: How do you use IF / Else statement to pull different fields including JSON elements?

ericjorgensenjr — Tue, 16 Feb 2021 20:54:57 GMT

Re: "how to specify the JSON elements in the query":

Example:

- if you have a field titled field1 that has JSON formatted data (e.g. {"att1":"val1","att2":"val2"}

You can do the following:

index=myIndex | spath input=field1 ouput=att1 path=att1 | spath input=field1 output=att1 path=att2 | eval test=case(source=Source1 OR sourcetype=sourceTypeB, att1,logSource=logSource2,fieldname1)

You can also use

| spath input=field1

without any output or path if you want to extract all JSON fields. For more details on the spath command go here: https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchReference/Spath