How can I use an if or eval statement to run a cus...

splunker1981 · ‎11-13-2017

Hello Splunkers -

Can't figure out for the life of me how to use eval or if statement to call a custom search command if an eval returns true. What I am doing is running an eval and testing some values, I would like to run custom command 1 if the statement tests to 1 and another custom command if it tests to 0. Any thoughts?

| eval valueToTest=if(isnotnull(statementHere),0,1)
| if (1 do customCommand1)
| if (0 do customCommand2)

DalJeanis · ‎11-14-2017

Try something like this...

  | eval valueToTest=if( your test here ,1,2)
  | appendpipe [ | where valueToTest==1 | do customCommand1 | eval rectype="1"]
  | appendpipe [ | where valueToTest==2 | do customCommand2 | eval rectype="2"]
  | where isnotnull(rectype)

splunker1981 · ‎11-16-2017

This partially works, I think. rec values populate but the fields and values that should be returned by the script never actually come back when run inside the appendpipe. Is there a way for that?

MuS · ‎11-13-2017

As far as I know this is still not possible out of the box, but you could put the logic into your custom command instead.

cheers, MuS

How can I use an if or eval statement to run a custom search command

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle

Are you a member of the Splunk Community?

How can I use an if or eval statement to run a custom search command

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle