How to match join on certain conditions within the...

Getting Data In

I've got a specific requirement to fine tune a search. The search is something like..

<basesearch>
| fields other_fields,host,username
| join type=left host username [ `mycomplexmacro`| fields macro_fields,pci_flag,host,username]
| table *

The issue I'm facing is if `pci_flag=no`, then I want to ensure the join does NOT include `host`, but if the `pci_flag=yes` I want to be strict and compare host && username. Unfortunately the `pci_flag` is not present in the <basesearch>, so the only way to determine is after the inner-search.

So essentially
I want the search to turn to below style if `pci_flag=no` (See the host is not in join anymore)

| join type=left username [ `mycomplexmacro`| fields macro_fields,pci_flag,username]

I want the search to turn to below style if `pci_flag=yes` (See the host present and strict)

| join type=left host username [ `mycomplexmacro`| fields macro_fields,pci_flag,host,username]

I tried options like below making, but in vain

 eval host=if(pci_flag==no,"*",host)

Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community, What’s the best part of hearing how our customers use Splunk? Easy: the positive ...