topic Re: Conditional search command in Splunk Search

Conditional search command

Simon — Tue, 07 Jan 2014 07:21:29 GMT

Hi Splunkers,

I was wondering if it's possible to run a search command only under specific conditions?
E.g. when a field containts a specific value or when total number of results are at least X.

Example:
I'm running a search which populates a CSV with outputlookup, but I'd only wanted to write the CSV if there we're any search results.

Other example:
Run iplocation only if Country field is empty.

Thanks,
Simon

Re: Conditional search command

MuS — Tue, 07 Jan 2014 07:51:03 GMT

Hi Simon,

I would try something like this, for the outputlookup example:

YourMagicSearchFoo | stats count | where count>0 | YourOtherMagicSearchFoo

or for the iplocation example:

YourMagicSearchFoo | where Country=null() | YourOtherMagicSearchFoo

hope this helps to get you started ...

cheers, MuS

Re: Conditional search command

Simon — Tue, 07 Jan 2014 07:55:08 GMT

Nice suggestion, but in your case, I'll always loose events, which is not exactly what I want.
To be more precise:

Example 1:
I wanted to populate the CSV only, if there were any results, but then, I want to write all of them. If there are no results, I want to keep the old CSV.

Example 2:
Maybe the result already contains a Country field. If no, and only in this case, I wanted to run iplocation.
The idea is to reduce the amount of iplocation calls.

Re: Conditional search command

somesoni2 — Mon, 28 Sep 2020 15:36:19 GMT

Try following

    |multisearch 
    [search <your base search> | where Country=null() | iplocation....] 
    [search <your base search> | where NOT Country=null() ] 
    | <your other search to get result for outputlookup>
    | append  [inputlookup <lookupfilename> | eventstats count as LU_Count] 
    | eventstats count as Total | eval LU_Count=coalesce(LU_Count,Total) | where LU_Count=Total 
    | fields <list of fields to be exported to lookup csv file> 
    | outputlookup <lookupfilename>

Two subsearches in "|multisearch" will split results from "" to two portion, one with Country=null() and one with Country!=null(). iplocation will be done only for records with Country=null().
Then you append existing data from lookup csv file and LU_Count and Total is calculated.
When your search produces result, LU_Count for results from existing lookup csv file will be less then total and hence will be filtered out (only your base search results are written). If you search produces no result, then result from existing lookup file will be rewritten, hence no data loss.

Re: Conditional search command

Simon — Wed, 08 Jan 2014 12:07:02 GMT

Exactly what I was searching for, perfect! Thank you