Is there a kind of conditional search command that can be used to stop or prematurely terminate a search based on a given condition?
For example, I want to send an email only if a certain condition is matched. For example, say I had a search setup something like this:
... | stats count | eval should_alert=if(count>5,"t","f") | continueif should_alert | sendemail to="user@domain" subject="My email subject..."
In this made up example, the
continueif search command would prevent the
sendemail search command from ever being invoked by the search unless the "should_alert" field was true.
I'm looking for some kind of search command (or set of search commands) to give me a
continueif-like functionality. I realize that this is generally handled via alerting conditions with a saved search, but I'm wondering if this is possible to do purely from within the search language without relying on the features of the scheduler.
It seems like it may be possible to do something like this with a custom search script, however, the more I think about this the more unsure I am. I know a search could simply return an empty data set, that's easy, but that empty data set is simply passed on the next search command, so that doesn't really work. The search is not terminated by it. I suppose instead some kind of exception could be raised by a search script which would terminate the search, but I'm guessing that approach would cause other issues--at the very least, it would create extra log messages about a failed search. I guess it may also be possible to make a REST call from within the script and terminate your own search job, but that seems like a really bad idea too.
The search language doesn't contain branching logic like this. We'd rather rely on general purpose languages (like python or Java) to provide higher-order behavior like this. I'd suggest using the python SDK to run the search, check the condition and take action (using the already run job).
As an aside, there's an argument to the
head command to stop fetching earlier events after some boolean predicate is satisfied, but that's a different case.
Im probably going to hell for mentioning this at all, but we have a looping structure in the
| stats countor
* | head 1
specify the search argument to map, as the search you actually want to run conditionally:
search="search foo | sendemail"
I await my own fiery death. Probably whether this works or not. 😃