How to match join on certain conditions within the...

koshyk · ‎09-14-2020

I've got a specific requirement to fine tune a search. The search is something like..

<basesearch>
| fields other_fields,host,username
| join type=left host username [ `mycomplexmacro`| fields macro_fields,pci_flag,host,username]
| table *

The issue I'm facing is if `pci_flag=no`, then I want to ensure the join does NOT include `host`, but if the `pci_flag=yes` I want to be strict and compare host && username. Unfortunately the `pci_flag` is not present in the <basesearch>, so the only way to determine is after the inner-search.

So essentially
I want the search to turn to below style if `pci_flag=no` (See the host is not in join anymore)

| join type=left username [ `mycomplexmacro`| fields macro_fields,pci_flag,username]

I want the search to turn to below style if `pci_flag=yes` (See the host present and strict)

| join type=left host username [ `mycomplexmacro`| fields macro_fields,pci_flag,host,username]

I tried options like below making, but in vain

 eval host=if(pci_flag==no,"*",host)

How to match join on certain conditions within the inner search?

field extraction

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?