How to match join on certain conditions within the...

Getting Data In

I've got a specific requirement to fine tune a search. The search is something like..

<basesearch>
| fields other_fields,host,username
| join type=left host username [ `mycomplexmacro`| fields macro_fields,pci_flag,host,username]
| table *

The issue I'm facing is if `pci_flag=no`, then I want to ensure the join does NOT include `host`, but if the `pci_flag=yes` I want to be strict and compare host && username. Unfortunately the `pci_flag` is not present in the <basesearch>, so the only way to determine is after the inner-search.

So essentially
I want the search to turn to below style if `pci_flag=no` (See the host is not in join anymore)

| join type=left username [ `mycomplexmacro`| fields macro_fields,pci_flag,username]

I want the search to turn to below style if `pci_flag=yes` (See the host present and strict)

| join type=left host username [ `mycomplexmacro`| fields macro_fields,pci_flag,host,username]

I tried options like below making, but in vain

 eval host=if(pci_flag==no,"*",host)

Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...