Solved: Conditional Search items

danataylor · ‎07-20-2017

I'm trying to create a conditional which will search using one of two search terms based on an IF statement.

A simplified example of what I'm trying to do looks like this:

IF "(condition)",then, "Search1", else, "Search2"

For context, I'm trying to check to see if an IP matches a CIDR range (private address). If there's a match, execute Search1. If not, execute Search2.

I'm new to SPL, coming from a scripting background, so I'm not sure if this method is even possible in Splunk.

Thank you!

Edit: Here is more information

The IF statement (checking if token $ip$ is an internal address:

if((cidrmatch("10.0.0.0/8",$ip$) OR cidrmatch("172.0.0.0/8",$ip$)), Search1, else Search2)

Search1 (filtering out other internal addresses, if token $ip$ is an internal address):

sourcetype=example src=$ip$ | where dest!="10.0.0.0/8" | where dest!="172.0.0.0/8"

Search 2 (not filtering internal addresses, if token $ip$ is an external address):

sourcetype=example src=$ip$

I've excluded the sorting commands etc that will be appended, since I do not believe they would affect the logic here.

somesoni2 · ‎07-20-2017

Give this a try

sourcetype=example src=$ip$ | where NOT ((cidrmatch("10.0.0.0/8",$ip$) OR cidrmatch("172.0.0.0/8",$ip$) AND (dest="10.0.0.0/8" OR  dest!="172.0.0.0/8")) | ...rest of the search...

OR

sourcetype=example src=$ip$ | where NOT [| gentimes start=-1 | eval dest=if((cidrmatch("10.0.0.0/8","$ip$") OR cidrmatch("172.0.0.0/8","$ip$")),"10.0.0.0/8#172.0.0.0/8","*") | table dest | makemv dest delim="#" | mvexpand dest ] | ..rest of the search

View solution in original post

somesoni2 · ‎07-20-2017

Give this a try

sourcetype=example src=$ip$ | where NOT ((cidrmatch("10.0.0.0/8",$ip$) OR cidrmatch("172.0.0.0/8",$ip$) AND (dest="10.0.0.0/8" OR  dest!="172.0.0.0/8")) | ...rest of the search...

OR

sourcetype=example src=$ip$ | where NOT [| gentimes start=-1 | eval dest=if((cidrmatch("10.0.0.0/8","$ip$") OR cidrmatch("172.0.0.0/8","$ip$")),"10.0.0.0/8#172.0.0.0/8","*") | table dest | makemv dest delim="#" | mvexpand dest ] | ..rest of the search

danataylor · ‎07-20-2017

Your second solution works! Thank you. However, I don't know how it works. Could you break down these steps for me?

somesoni2 · ‎07-20-2017

The where subsearch is basically drawing down the dest field filter and returning to main search.
a) If (cidrmatch("10.0.0.0/8","$ip$") OR cidrmatch("172.0.0.0/8","$ip$")) is true, the subsearch is setting the value of dest as 10.0.0.0/8#172.0.0.0/8, splitting them out and final output will be (including where clause) | where NOT (dest="10.0.0.0/8" OR dest="172.0.0.0/8").
b) if (cidrmatch("10.0.0.0/8","$ip$") OR cidrmatch("172.0.0.0/8","$ip$")) is false, the subsearch is setting the value of dest as * and final output will be (including where clause) | where NOT (dest="*"). If I think again, you can use any junk character/string instead of *. The purpose here should be ensure that filter does't match against any records and does no filter.

somesoni2 · ‎07-20-2017

We can help better if you could post both your searches.

Conditional Search items

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation