topic Re: How to write a search where if a specific value for FIELD1 is present in subsearch results, run Search1, but if not, run Search2? in Splunk Search

How to write a search where if a specific value for FIELD1 is present in subsearch results, run Search1, but if not, run Search2?

kasu_praveen — Fri, 17 Apr 2015 12:29:06 GMT

I have a search which has a field (say FIELD1). I would like to search the presence of a FIELD1 value in subsearch. If that FIELD1 value is present in subsearch results, then do work-1 (remaining search will change in direction-1), otherwise do work-2 (remaining search will change in direction-2).

pseudo search query:

index="sample_index" sourcetype="sample_sourcetype"| fields FIELD1 | search FIELD1 in [my sub search here| fields FIELD1] | if FIELD1 is present in subsearch, then do work-1, If not do work-2.

I looked at https://answers.splunk.com/answers/31842/why-cant-i-use-subsearch-in-the-case-function-in-the-eval-command.html
But, this is talking about comparing single value with single value from subsearch. What I am looking is finding FIELD1 value in multiple results of subsearch.

Any suggestions to proceed further?

Re: How to write a search where if a specific value for FIELD1 is present in subsearch results, run Search1, but if not, run Search2?

stephane_cyrill — Sat, 18 Apr 2015 03:38:35 GMT

Hi, I think you can do it like this:
1- you write a search1 that track FIELD1 (you can use a regex for that ) and put the result in a variable let's say VAR

2- you pipe search1 and use eval command with if() .

3- in the funtion if( ) , at the place of conditionals results you put subsearches.

4- all the previous steps will look like this:

index=.... sourcetype=... search1 |eval result=if( VAR="FIELD1" ,[subsearch1|return $result1 ] , [subsearch2l return $result2] ) | table result

5-note that if you have many conditions you can imbricate if() like this:

if( condition, if(....), [ ] )

6- this is a small example using splunk internal event:

Re: How to write a search where if a specific value for FIELD1 is present in subsearch results, run Search1, but if not, run Search2?

kasu_praveen — Thu, 23 Apr 2015 07:20:21 GMT

Thanks for your response @stephane_cyrille, What I was looking is slightly different.

Once I got FIELD1 from search1, I need to search for that value in a subsearch.
If FIELD1 is found in subsearch then proceed with SUBSEARCH1, if not SUBSEARCH2.

So, instead of simply comparing apple to apple (host!="mypc"), Is there a way I can search for FIELD1 value in subsearch?

Explaining In another detailed way, I have 4 searches (SEARCH1 ,SEARCH2 ,SEARCH3 ,SEARCH4).
1. I will get FIELD1 from SEARCH1.
2. Search FIELD1 values in SEARCH2, If found do SEARCH3, If not SEARCH4

Thanks for your time and interest on this. Truly appreciated.
Early response will be much more helpful for me.

Re: How to write a search where if a specific value for FIELD1 is present in subsearch results, run Search1, but if not, run Search2?

stephane_cyrill — Thu, 23 Apr 2015 08:45:59 GMT

|multisearch 
 [search <your base search1> here you track FIELD1 and put the result in VAR1] 
 [search <your base search> here you track FIELD1 and put the result in VAR2 ] 
 | eval result=if(VAR1==VAR2, [SEARCH3|return $result1]  ,[SEARCH3|return $result2])

take a look on return command in Search Reference manual.

Re: How to write a search where if a specific value for FIELD1 is present in subsearch results, run Search1, but if not, run Search2?

kasu_praveen — Tue, 28 Apr 2015 06:01:41 GMT

This seems to be the approach.
My Query had issues, because of other searches (SEARCH3 and SEARCH4).

Thanks for your time Stephane_cyrille

Re: How to write a search where if a specific value for FIELD1 is present in subsearch results, run Search1, but if not, run Search2?

pamcarvalho — Thu, 28 Sep 2017 13:10:29 GMT

I know this question is old, but you could do it using the command map (no, it doesn't have to do with geografic maps)..
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Map

Re: How to write a search where if a specific value for FIELD1 is present in subsearch results, run Search1, but if not,

thuhuongle — Mon, 28 Sep 2020 06:08:01 GMT

Hi @stephane_cyrill

I have run a quick try as your approach but it got only one field return and I need to remove all non streaming command. Do you have another approach to advice?

Re: How to write a search where if a specific value for FIELD1 is present in subsearch results, run Search1, but if not,

sayleekamthe — Thu, 27 Jan 2022 06:17:44 GMT

Hi, can someone please provide a query for this? I am also looking for something similar. I want a search to retrieve value(VAR1) of FEILD1 and then write search2 with that value(VAR1).