topic Re: Can I perform If-Then-Else logic within a search? in Splunk Search

Can I perform If-Then-Else logic within a search?

johnny_goya — Tue, 29 Sep 2020 17:26:12 GMT

Can I use if else for multiple search?

Like this:
index=* | eval result=if(field<=178000, [ search index=notable | regex status_label="Resolved" ] , [ search index=notable | regex status_label="Closed" ])

Re: Can I perform If-Then-Else logic within a search?

niketn — Wed, 27 Dec 2017 04:33:22 GMT

The query posted in question seems to be if else, which you can implement in the following way:

index=<YourIndexName> OR status_label="Resolved" OR status_label="Closed"
| eval status_value=if(field<=178000, "Resolved","Closed")
| where status_label= status_value

If you have multiple if else conditions, you would have to use case instead (PS: Just created three condition as an example adjust as per your need or use the one mentioned above with if else😞

index==<YourIndexName> status_label="Open" OR status_label="Resolved" OR status_label="Closed"
| eval status_value=case(field<=86400,"Open", field>86400 AND field<=178000, "Resolved",true(),"Closed")
| where status_label= status_value

Refer to Splunk Documentation for evaluation functions if and `case.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConditionalFunctions#if.28X.2CY.2CZ.29
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConditionalFunctions#case.28X.2C.22Y.22.2C....29

Re: Can I perform If-Then-Else logic within a search?

johnny_goya — Tue, 29 Sep 2020 17:26:15 GMT

Hi niketnilay, thanks for the feedback.

What I want to do is create an if statement that checks a field and if the if statement is false it updates the incident_review_lookup lookup.

I do not know if my question was clearer.

Re: Can I perform If-Then-Else logic within a search?

493669 — Tue, 29 Sep 2020 17:22:22 GMT

so you want if (field<=178000) then update result="Resolved" else update incident_review_lookup lookup
is my understanding correct?

Re: Can I perform If-Then-Else logic within a search?

johnny_goya — Tue, 29 Sep 2020 17:22:25 GMT

I want something like that.

I tried to use the following query.

Re: Can I perform If-Then-Else logic within a search?

nikita_p — Wed, 27 Dec 2017 09:28:54 GMT

Hi johnny_goya,
Few questions i have. what are the fields in your lookup and which is the identical field in lookup and logs. Is "field" present in your logs?

Re: Can I perform If-Then-Else logic within a search?

johnny_goya — Wed, 27 Dec 2017 22:53:49 GMT

I'm talking about the Enterprise Security lookup incident review. This lookup stores the entire workflow of the generated events.

The field was created by the time difference. [field = now () - last update of the event].

I want the notable goes to status_label Closed automatically after 2 days.

Re: Can I perform If-Then-Else logic within a search?

DalJeanis — Thu, 28 Dec 2017 01:23:02 GMT

Your search doesn't make sense as you have written it.

The flow of a splunk search starts at the top and flows down, affecting each event in the input set by one command at a time. You are apparently trying to bring in a "flow" of data at the spot of your if statement -- which does not work in splunk or any other language.

So, start over and rethink your requirements from the point of view of each individual event being processed. Describe to yourself, and then us, what needs to happen to each one.

Please remember also, though, that when you output a record with append=t to a lookup, that all the prior records are still there, so it is NOT the same as updating an existing record.

Re: Can I perform If-Then-Else logic within a search?

johnny_goya — Tue, 29 Sep 2020 17:26:48 GMT

I've just posted the part of the query that I'm in doubt about.

Do you know some way to do my task? I tried to use this search, but it does not execute if statement correctly. It always executes the subsearch regardless of the result of the if statement.

I need to automate changing the status_label of a notable case if it has been in status_label resolved for more than 2 days.

Re: Can I perform If-Then-Else logic within a search?

johnny_goya — Thu, 28 Dec 2017 02:35:08 GMT

I'm trying to avoid using script

Re: Can I perform If-Then-Else logic within a search?

niketn — Thu, 28 Dec 2017 07:29:01 GMT

@johnny_goya, you should have a separate search to identify records to be appended to lookup file. It will be difficult to suggest exact query without looking at your existing SPL. Also make sure you use code button (101010), while posting your SPL so that special characters do not escape.

Re: Can I perform If-Then-Else logic within a search?

johnny_goya — Thu, 28 Dec 2017 07:47:59 GMT

Thanks for the support. Thanks for the advice.

Re: Can I perform If-Then-Else logic within a search?

johnny_goya — Thu, 28 Dec 2017 07:48:45 GMT

I think I've found a way to reach my goal.
I will separate the querys and use summary index.
Thanks for the support guys. Thanks for the advice.