How to match join on certain conditions within the...

Getting Data In

I've got a specific requirement to fine tune a search. The search is something like..

<basesearch>
| fields other_fields,host,username
| join type=left host username [ `mycomplexmacro`| fields macro_fields,pci_flag,host,username]
| table *

The issue I'm facing is if `pci_flag=no`, then I want to ensure the join does NOT include `host`, but if the `pci_flag=yes` I want to be strict and compare host && username. Unfortunately the `pci_flag` is not present in the <basesearch>, so the only way to determine is after the inner-search.

So essentially
I want the search to turn to below style if `pci_flag=no` (See the host is not in join anymore)

| join type=left username [ `mycomplexmacro`| fields macro_fields,pci_flag,username]

I want the search to turn to below style if `pci_flag=yes` (See the host present and strict)

| join type=left host username [ `mycomplexmacro`| fields macro_fields,pci_flag,host,username]

I tried options like below making, but in vain

 eval host=if(pci_flag==no,"*",host)

Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...