Splunk Search

Can the Returned Value From a Case Function be a Search

genesiusj
Builder

Hello,
Can the Returned Value From a Case Function be a Search?

index="pay_test"
    AND host IN ("pay20", "pay21") 
| eval priority=case("INFO1", 
    [ search index="epay_test"
        AND host IN ("pay20", "pay21")
        AND (localrefid!="" OR localrefid!="null")
        AND (token!="" OR token!="null")
        AND failCode="N"]
    ,"DEBUG1", 
    [ search index="pay_test"
        AND host IN ("pay20", "pay21")
        AND category="client.jms.DatabaseInsertMBClient"
        AND FAILCODE="N"
        AND TOTALAMOUNT!=0]) 
| table _raw

This is a small sample of the code. There could 10-20 or more values for the field priority, each with their set of fields that need to examined.

So is it possible to run searches dependent upon the value of a case function?

BTW, the above code produced this error.

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ') )'.

Thanks and God bless,
Genesius

0 Karma

genesiusj
Builder

Doing more research on the case function, I discovered it is not similar to case commands in other programming languages. It does not permit branching to another of commands. The arguments can only be field values.

According to the Splunk docs, https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/ConditionalFunctions

(Case) accepts alternating conditions and values. Returns the first value for which the condition evaluates to
TRUE. a This function takes pairs of arguments X and Y. The X arguments are Boolean expressions that are evaluated
from first to last. When the first X expression is encountered that evaluates to TRUE, the corresponding
Y argument is returned
. The function defaults to NULL if none are true.

Y can only be an argument, and not a returned set of new search commands.

Thanks and God bless,
Genesius

0 Karma

woodcock
Esteemed Legend

Yes, using either a subsearch, or map but you must be very careful.

0 Karma

genesiusj
Builder

@woodcock
From what I've seen with the map command (which in the docs is very little; more was available in Answers) the same set of search commands is run over a number of maxsearches. This is not what I am looking for.

It looks subsearch is similar in that the same set of search commands will be run.

Thanks and God bless,
Genesius

0 Karma

woodcock
Esteemed Legend

This helps but I am still unclear on the big picture. What are you trying to do EXACTLY?

0 Karma

genesiusj
Builder

@woodcock
Apologies to you and the other forum users for not responding sooner.

The logs being ingested are sourcetype=log4j, with some customization.

What I need to accomplish is to have a different set of search commands run depending upon the value of the priority field (INFO, DEBUG, ERROR, etc.). I was thinking about using the case function because I worked with case in my former programming days (Teradata SQL), and seem to remember being able to add a full set SQL (or branch to other SQL commands) based on the value of each case. However, after rereading the Splunk docs, I learned only values can be returned from a case function. Not an entire set of search commands.

BTW, when I checked the map command it appears to behave similarly to the for-next loop structures used in other programming languages; i.e., the same set of commands would be repeated for each value of the priority field. However, I need different SPL commands run for each different priority value.

Example using 3 of the common values for the priority field.

  • INFO: the required fields for these events are being extracted with no other transformations required on my end.
  • ERROR: new fields need to be extracted requiring the | rex command against _raw.
  • DEBUG: requires calculations be performed against both currently extracted and rex'ed fields using | eval commands.

Therefore, I will use subsearches.

How do I go about closing this post?

Also, how did you format the words subsearch and map in your response above?

Thanks and God bless,
Genesius

0 Karma

genesiusj
Builder

@woodcock
Thanks. I updated the post above with actual code.
God bless,
Genesius

0 Karma

mayurr98
SplunkTrust
SplunkTrust

Try this :

...[search eval field2=case(field1,"dssd") | return field2]

Refer this :
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Return

0 Karma

genesiusj
Builder

@mayurr98
Not exactly what I am looking for.
Using your example, based on field1, dssd needs to be a full search with index, source(types), hosts, booleans, rex's, evals, etc....

Thanks and God bless,
Genesius

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.