topic Re: Subsearch using boolean logic in Splunk Search

Subsearch using boolean logic

bluemarvel — Fri, 12 Aug 2016 14:22:34 GMT

Hello, I am looking for a search query that can also be used as a dashboard.
The query has to search two different sourcetypes , look for data (eventtype,file...etc.) and if the information is missing in one sourcetype and found in another, then it will provided that data for that sourcetype.

Re: Subsearch using boolean logic

skoelpin — Fri, 12 Aug 2016 15:01:07 GMT

You can use a case statement to do this

... | eval Your_field=case(sourcetype == sourcetype1, "true", sourcetype == sourcetype2, "true" , 1=1, "false")

http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/CommonEvalFunctions

Re: Subsearch using boolean logic

somesoni2 — Fri, 12 Aug 2016 16:32:53 GMT

Could you be more specific in your requirement, supported with sample queries/events and expected output?