How to match join on certain conditions within the...

Getting Data In

I've got a specific requirement to fine tune a search. The search is something like..

<basesearch>
| fields other_fields,host,username
| join type=left host username [ `mycomplexmacro`| fields macro_fields,pci_flag,host,username]
| table *

The issue I'm facing is if `pci_flag=no`, then I want to ensure the join does NOT include `host`, but if the `pci_flag=yes` I want to be strict and compare host && username. Unfortunately the `pci_flag` is not present in the <basesearch>, so the only way to determine is after the inner-search.

So essentially
I want the search to turn to below style if `pci_flag=no` (See the host is not in join anymore)

| join type=left username [ `mycomplexmacro`| fields macro_fields,pci_flag,username]

I want the search to turn to below style if `pci_flag=yes` (See the host present and strict)

| join type=left host username [ `mycomplexmacro`| fields macro_fields,pci_flag,host,username]

I tried options like below making, but in vain

 eval host=if(pci_flag==no,"*",host)

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...