topic Re: Conditional Search items in Splunk Search

Conditional Search items

danataylor — Thu, 20 Jul 2017 14:15:17 GMT

I'm trying to create a conditional which will search using one of two search terms based on an IF statement.

A simplified example of what I'm trying to do looks like this:

IF "(condition)",then, "Search1", else, "Search2"

For context, I'm trying to check to see if an IP matches a CIDR range (private address). If there's a match, execute Search1. If not, execute Search2.

I'm new to SPL, coming from a scripting background, so I'm not sure if this method is even possible in Splunk.

Thank you!

Edit: Here is more information

The IF statement (checking if token $ip$ is an internal address:

if((cidrmatch("10.0.0.0/8",$ip$) OR cidrmatch("172.0.0.0/8",$ip$)), Search1, else Search2)

Search1 (filtering out other internal addresses, if token $ip$ is an internal address):

sourcetype=example src=$ip$ | where dest!="10.0.0.0/8" | where dest!="172.0.0.0/8"

Search 2 (not filtering internal addresses, if token $ip$ is an external address):

sourcetype=example src=$ip$

I've excluded the sorting commands etc that will be appended, since I do not believe they would affect the logic here.

Re: Conditional Search items

somesoni2 — Thu, 20 Jul 2017 17:24:31 GMT

We can help better if you could post both your searches.

Re: Conditional Search items

somesoni2 — Thu, 20 Jul 2017 18:38:26 GMT

Give this a try

sourcetype=example src=$ip$ | where NOT ((cidrmatch("10.0.0.0/8",$ip$) OR cidrmatch("172.0.0.0/8",$ip$) AND (dest="10.0.0.0/8" OR  dest!="172.0.0.0/8")) | ...rest of the search...

sourcetype=example src=$ip$ | where NOT [| gentimes start=-1 | eval dest=if((cidrmatch("10.0.0.0/8","$ip$") OR cidrmatch("172.0.0.0/8","$ip$")),"10.0.0.0/8#172.0.0.0/8","*") | table dest | makemv dest delim="#" | mvexpand dest ] | ..rest of the search

Re: Conditional Search items

danataylor — Thu, 20 Jul 2017 19:15:58 GMT

Your second solution works! Thank you. However, I don't know how it works. Could you break down these steps for me?

Re: Conditional Search items

somesoni2 — Thu, 20 Jul 2017 19:58:34 GMT

The where subsearch is basically drawing down the dest field filter and returning to main search.
a) If (cidrmatch("10.0.0.0/8","$ip$") OR cidrmatch("172.0.0.0/8","$ip$")) is true, the subsearch is setting the value of dest as 10.0.0.0/8#172.0.0.0/8, splitting them out and final output will be (including where clause) | where NOT (dest="10.0.0.0/8" OR dest="172.0.0.0/8").
b) if (cidrmatch("10.0.0.0/8","$ip$") OR cidrmatch("172.0.0.0/8","$ip$")) is false, the subsearch is setting the value of dest as * and final output will be (including where clause) | where NOT (dest="*"). If I think again, you can use any junk character/string instead of *. The purpose here should be ensure that filter does't match against any records and does no filter.