Splunk Search

Dynamic conditions composition into a search uses fields extracted from a lookup

robertosegantin
Path Finder

Hi to all,

I would like to define a dynamic condition into a lookup, which uses the fields defined inside a search, ad evaluate it into a search.

[my_lookup.csv]
service,condition
my_service,a>b 

This is what would like to do:

| inputlookup my_lookup.csv 
| eval a=3 
| eval b=4 
| eval result=if(condition,1,0)

Thanks!

0 Karma

niketn
Legend

@robertosegantin, try the following run anywhere search. The first makeresults command creates some test data with a and b values. Second makeresults command mimics lookup table with the following services and search expressions:

service     search
less_than      a<b
greater_than    a>b
equal          a=b
not_equal      a!=b

Following is the run anywhere search for testing. Keep changing service name from less_than to something else in the second search.

| makeresults 
| eval data="a=1,b=2;a=2,b=2;a=3,b=2"
| makemv data delim=";" 
| mvexpand data
| rename data as _raw
| KV
| fields - _time, _raw
| eval result=if( 
    [| makeresults 
    | fields - _time
    | eval data="service=\"less_than\",search=\"a<b\";service=\"greater_than\",search=\"a>b\";service=\"equal\",search=\"a=b\";service=\"not_equal\",search=\"a!=b\";"
    | makemv data  delim=";"
    | mvexpand data
    | rename data as _raw
    | extract pairdelim=,kvdelim="="
    | fields - a _raw
    | search service="less_than"
    | table search],1,0)

Following is the output:

a   b   result
1   2   1
2   2   0
3   2   0
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

robertosegantin
Path Finder

I tried to semplify your solution.
This works:

| makeresults 
| eval a=1 
| eval b=2 
| eval result=if( 
    [| makeresults 
    | eval data="search=a<b" 
    | rename data as _raw 
    | extract pairdelim=,kvdelim="=" 
    | table search],1,0)

But unfortunately I am on the following scenario, which does not work:

| makeresults 
| eval a=1 
| eval b=2 
| eval c="a<b" 
| eval result=if( 
    [| makeresults 
    | eval data="search=".c 
    | rename data as _raw 
    | extract pairdelim=,kvdelim="=" 
    | table search],1,0)
0 Karma

niketn
Legend

@robertosegantin do you want to apply dynamic condition from the lookup or based on the condition applied you need to pull some other information from lookup. Your question seemed to be the first one which is what the run anywhere search provided solves. Instead of inner makeresults you would need to call the lookup file to get the condition to be applied in your query.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

robertosegantin
Path Finder

@niketnilay, I've corrected some mistakes that I did, and now it works correctly.
Note that the field extracted from the last "table" inside the subsearch MUST BE "search".

So now this is my working search:

| makeresults 
| eval a=80 
| eval b=60 
| eval result=if( 
    [| inputlookup conf_lookup.csv 
    | where servizio_nome="MY SERVICE" 
    | eval search=condition_KO
    | table search],1,0)

Is it possibile to make something like this?

| makeresults 
| eval a=80 
| eval b=60 
| eval service="MY SERVICE"
| eval result=if( 
    [| inputlookup conf_lookup.csv 
    | where servizio_nome="$service$" 
    | eval search=condition_KO 
    | table search],1,0)

Thanks

0 Karma

niketn
Legend

@robertosegantin sorry I had missed your follow up question. Seems like this is a use case for map command. If your issue is resolved, do accept/up-vote the comments that helped!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...