Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to do Conditional Searches?

secphilomath
New Member
‎05-04-2022 03:55 PM

Is there a way to do a search like this;

If Eventid=1111

    only do these  statements

elseif Eventid=2222

    only do these statements

elseif eventid=3333

   only do these statements

Do these extra statements ...

Labels (1)
Labels
Tags (1)
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎05-05-2022 09:02 AM

@secphilomath - Not sure what is your goal exactly but based on what you have described, you can try appendpipe command.

<your-search>
| appendpipe [| search event_id=1 | mycommand1 ]
| appendpipe [| search event_id=2 | mycommand2 ]
<anything else>

 

I hope this helps!!!

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-04-2022 04:28 PM

You can do if logic in eval statements, but there is no "if" block. It will depend on what you want to do in those conditions.

You can often achieve if type logic, can you give an example of the sort of actions you want to take.

 

0 Karma
Reply

secphilomath
New Member
‎05-05-2022 08:03 AM

Essentially I want to run 3 different search commands depending on the value of the eventid.  

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...