topic How to use conditional search in Splunk Search

How to use conditional search

nelaturivijay — Mon, 13 Jan 2025 14:07:21 GMT

Hi All,

I have a main search where name1 filed will have multiple values
I need to run sub search based on the value of name1.
The structure goes like this:
mail_search
which has name1=a
sub search
if name1=a
then run search1
if name1=b
then run search2

I have tried this with the following code:

I am getting the following error

Unable to run query '"index=_internal | head 1 | eval val=\"Query for a1\" | table val"'.

Re: How to use conditional search

ITWhisperer — Mon, 13 Jan 2025 14:56:28 GMT

If you re trying to do this in a dashboard, try setting a token to the variable part of the search and using that

Re: How to use conditional search

kiran_panchavat — Mon, 13 Jan 2025 17:51:16 GMT

@nelaturivijay Please have a look.

https://docs.splunk.com/Documentation/Splunk/9.4.0/Viz/tokens#Using_tokens_in_a_search

Re: How to use conditional search

yuanliu — Tue, 14 Jan 2025 08:55:59 GMT

First, map is usually not the solution to the problem you are trying to solve.

Confusingly, everyone of the three searches will result in a predetermined string value of a single field. Why bother with index=_internal? If you are just trying to make a point of map, you can compose them with makeresults just as easily.

If you really want to use map, study the syntax and examples in map. The whole idea of map is to NOT use case function. To produce the result you intended, here is a proper construct:

This is the output no matter what data you have in _internal.

val

Default query

Query for b

Query for a

However, there are often much easier and better ways to do this. To illustrate, forget val="Query for a". Let's pick more realistic mock values "info", "warn". This is a construct using map.

| makeresults | eval searchterm = mvappend("info", "warn", "nosuchterm") | mvexpand searchterm | map search="search index=_internal log_level=\"$searchterm$\" | stats count by log_level | eval val=if(\"$searchterm$\" IN (\"info\", \"warn\"), \"Query for $searchterm$\", \"Default query\")"

If you examine _internal events, you will know that, even though searchterm is given three values, the above should only give two rows, like

log_level	count	val
INFO	500931	Query for info
WARN	17262	Query for warn

However, the syntax of map makes the search much harder to maintain. Here is an alternative using subsearch. (There are other alternatives based on actual search term and data characteristics.)

If you apply this to the exact same time interval, it will give you exactly the same output.

Hope this helps.