I have 2 fields that I need to search on - Field1 and Field2. Most of the time I only want to search on Field1 but occasionally it contains a value which means I need to also search for Field2. I have a rex statement which populates a variable when Field1 contains the keyword so I need my search to look like this:
rex KeywordFound=(find the key word) |
if KeywordFound is null search for Field1
else search for Field1 and Field2 |
Can this kind of conditional search be done with Splunk?
Thanks
Do you need just to search for the general existence of Field1 and Field2?
I imagine you could use a subsearch to accomplish this. You start off the outer search with searching for Field1 and then use the subsearch for adding a search for Field2 if the subsearch finds the keyword. Something like this:
Field1=* [search * | rex (?<KeywordFound>blahblah) | search KeywordFound=* | head 1 | eval query="Field2=*" | fields query]
Do you need just to search for the general existence of Field1 and Field2?
I imagine you could use a subsearch to accomplish this. You start off the outer search with searching for Field1 and then use the subsearch for adding a search for Field2 if the subsearch finds the keyword. Something like this:
Field1=* [search * | rex (?<KeywordFound>blahblah) | search KeywordFound=* | head 1 | eval query="Field2=*" | fields query]
I'm not completely following your logic but you post has given me an idea that should work. When KeywordFound is null I'll evaluate Field2 to a wildcard so that all events match, meaning the only field actually being used in the search is Field1.
I'm off to try out the theory. If it works I shall award the points 🙂
Thanks