Splunk Search

Can you use if statements in the search query itself?

asherman
Path Finder

Hi,

I am trying to execute a search based on dropdown menu selection. If user specifies certain options, indexes or other fields change. E.g.,

index=if($index$=official,index_official,index_standard) build=if($index$=official,*,$build$) | ...

However, this does not produce a search, whereas if I search for either

index=index_official build=*
or
index=index_standard build=$build$
the query returns results.

Is it possible to use the if statement at this point in the search query? I prefer not to do a larger query and then filter later with eval commands.

0 Karma
1 Solution

somesoni2
Revered Legend

Try this

index=[| gentimes start=-1 | eval search=if("$index$"="official","index_official","index_standard") | table search]
build=[| gentimes start=-1 | eval search=if("$index$"="official","*","$build$") | table search] 
|...rest of your search

View solution in original post

somesoni2
Revered Legend

Try this

index=[| gentimes start=-1 | eval search=if("$index$"="official","index_official","index_standard") | table search]
build=[| gentimes start=-1 | eval search=if("$index$"="official","*","$build$") | table search] 
|...rest of your search

asherman
Path Finder

This seems to do the trick - thanks.

One question: What exactly is gentimes doing here? Why doesn't the query work without it?

0 Karma

somesoni2
Revered Legend

The gentimes is just used to create a row, so that a field search can be created. You can use "|gentimes start=-1" OR "| stats count" to create a row.

sk314
Builder

isn't the 'if statement' unnecessary if you are already using the drop down selection? Assuming your drop down selection is working, why won't this work for you?

index=$index$ build=$build$ | ...
0 Karma

asherman
Path Finder

I have a dropdown selection driving multiple different values. For example, if official I may consider only build=100, settings=high, etc., but if I'm using nonofficial, then build=$specified_build$, settings=$specified_settings$, etc.

Another application is that I have a dropdown menu that chooses which of an array of fields will be set to *, so those fields would look like

build=if($swap_type$=build,,$build$) corner=if($swap_type$=corner,,$corner$) bin=if($swap_type$=bin,*,$bin$) | ...
here, we have specifications for each of the fields: build, corner, bin, however one of them we can select to chart against, so in that case we don't filter it (I'm displaying X over time, with the other two as filters).

I can't think of a way of doing this without if statements.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...