Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you use if statements in the search query itself?

asherman
Path Finder
‎11-03-2014 08:31 AM

Hi,

I am trying to execute a search based on dropdown menu selection. If user specifies certain options, indexes or other fields change. E.g.,

index=if($index$=official,index_official,index_standard) build=if($index$=official,*,$build$) | ...

However, this does not produce a search, whereas if I search for either

index=index_official build=*
or
index=index_standard build=$build$
the query returns results.

Is it possible to use the if statement at this point in the search query? I prefer not to do a larger query and then filter later with eval commands.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-03-2014 11:05 AM

Try this

index=[| gentimes start=-1 | eval search=if("$index$"="official","index_official","index_standard") | table search]
build=[| gentimes start=-1 | eval search=if("$index$"="official","*","$build$") | table search] 
|...rest of your search

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-03-2014 11:05 AM

Try this

index=[| gentimes start=-1 | eval search=if("$index$"="official","index_official","index_standard") | table search]
build=[| gentimes start=-1 | eval search=if("$index$"="official","*","$build$") | table search] 
|...rest of your search
Reply
Solved! Jump to solution

asherman
Path Finder
‎11-03-2014 11:36 AM

This seems to do the trick - thanks.

One question: What exactly is gentimes doing here? Why doesn't the query work without it?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-03-2014 11:40 AM

The gentimes is just used to create a row, so that a field search can be created. You can use "|gentimes start=-1" OR "| stats count" to create a row.

Reply
Solved! Jump to solution

sk314
Builder
‎11-03-2014 10:27 AM

isn't the 'if statement' unnecessary if you are already using the drop down selection? Assuming your drop down selection is working, why won't this work for you?

index=$index$ build=$build$ | ...
0 Karma
Reply
Solved! Jump to solution

asherman
Path Finder
‎11-03-2014 10:46 AM

I have a dropdown selection driving multiple different values. For example, if official I may consider only build=100, settings=high, etc., but if I'm using nonofficial, then build=$specified_build$, settings=$specified_settings$, etc.

Another application is that I have a dropdown menu that chooses which of an array of fields will be set to *, so those fields would look like

build=if($swap_type$=build,,$build$) corner=if($swap_type$=corner,,$corner$) bin=if($swap_type$=bin,*,$bin$) | ...
here, we have specifications for each of the fields: build, corner, bin, however one of them we can select to chart against, so in that case we don't filter it (I'm displaying X over time, with the other two as filters).

I can't think of a way of doing this without if statements.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...