- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Conditional Search items
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to create a conditional which will search using one of two search terms based on an IF statement.
A simplified example of what I'm trying to do looks like this:
IF "(condition)",then, "Search1", else, "Search2"
For context, I'm trying to check to see if an IP matches a CIDR range (private address). If there's a match, execute Search1. If not, execute Search2.
I'm new to SPL, coming from a scripting background, so I'm not sure if this method is even possible in Splunk.
Thank you!
Edit: Here is more information
The IF statement (checking if token $ip$ is an internal address:
if((cidrmatch("10.0.0.0/8",$ip$) OR cidrmatch("172.0.0.0/8",$ip$)), Search1, else Search2)
Search1 (filtering out other internal addresses, if token $ip$ is an internal address):
sourcetype=example src=$ip$ | where dest!="10.0.0.0/8" | where dest!="172.0.0.0/8"
Search 2 (not filtering internal addresses, if token $ip$ is an external address):
sourcetype=example src=$ip$
I've excluded the sorting commands etc that will be appended, since I do not believe they would affect the logic here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
sourcetype=example src=$ip$ | where NOT ((cidrmatch("10.0.0.0/8",$ip$) OR cidrmatch("172.0.0.0/8",$ip$) AND (dest="10.0.0.0/8" OR dest!="172.0.0.0/8")) | ...rest of the search...
OR
sourcetype=example src=$ip$ | where NOT [| gentimes start=-1 | eval dest=if((cidrmatch("10.0.0.0/8","$ip$") OR cidrmatch("172.0.0.0/8","$ip$")),"10.0.0.0/8#172.0.0.0/8","*") | table dest | makemv dest delim="#" | mvexpand dest ] | ..rest of the search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
sourcetype=example src=$ip$ | where NOT ((cidrmatch("10.0.0.0/8",$ip$) OR cidrmatch("172.0.0.0/8",$ip$) AND (dest="10.0.0.0/8" OR dest!="172.0.0.0/8")) | ...rest of the search...
OR
sourcetype=example src=$ip$ | where NOT [| gentimes start=-1 | eval dest=if((cidrmatch("10.0.0.0/8","$ip$") OR cidrmatch("172.0.0.0/8","$ip$")),"10.0.0.0/8#172.0.0.0/8","*") | table dest | makemv dest delim="#" | mvexpand dest ] | ..rest of the search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your second solution works! Thank you. However, I don't know how it works. Could you break down these steps for me?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The where subsearch is basically drawing down the dest field filter and returning to main search.
a) If (cidrmatch("10.0.0.0/8","$ip$") OR cidrmatch("172.0.0.0/8","$ip$")) is true, the subsearch is setting the value of dest as 10.0.0.0/8#172.0.0.0/8, splitting them out and final output will be (including where clause) | where NOT (dest="10.0.0.0/8" OR dest="172.0.0.0/8").
b) if (cidrmatch("10.0.0.0/8","$ip$") OR cidrmatch("172.0.0.0/8","$ip$")) is false, the subsearch is setting the value of dest as * and final output will be (including where clause) | where NOT (dest="*"). If I think again, you can use any junk character/string instead of *. The purpose here should be ensure that filter does't match against any records and does no filter.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We can help better if you could post both your searches.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
