Splunk Search

How to edit my search inside an IF Condition?

karthikmalla
Explorer

Hello, I am having trouble writing a search string within a IF condition.

My example Search String is: index=* sourcetype=WinEventLog:Security EventCode=4648

I tried it in the below manner

| stats count as mytext 
| eval mytext = if(("$accounttype$" = "suspected"), "All Good", "JOIN_SEARCH")
| join mytext [index=* sourcetype=WinEventLog:Security EventCode=4648
| eval mytext="JOIN_SEARCH"]

In the above search string $accounttype$ is a drop-down token into the dashboard.

I am getting an error Unknown search command index=*

0 Karma
1 Solution

acharlieh
Influencer

The problem you are running into, is that unlike the main search, when using subsearches (as is the case here with join), it is not assumed that the first command will be search. There are very common use cases for subsearches where this does not hold true.

So being explicit like so would solve your immediate syntax error:

| stats count as mytext 
| eval mytext = if(("$accounttype$" = "suspected"), "All Good", "JOIN_SEARCH")
| join mytext [search index=* sourcetype=WinEventLog:Security EventCode=4648 | eval mytext="JOIN_SEARCH"]

That said... it seems you are attempting to optionally run a search in a dashboard in response to an input. Could I suggest getting rid of the join and instead just using the simple search as your search, and using tokens to control the display of the panel. (This docs page has a ton of ideas around manipulating tokens).

Alternatively, if you really feel the need to control running within the search, you could eliminate the join by flipping the condition like so:

index=* sourcetype=WinEventLog:Security EventCode=4648 | where "$accounttype$" != "suspected"

you could even tack on the All good message using appendpipe if you wanted:

... | appendpipe [stats count | eval message="All Good" | where count=0 | fields - count]

But I really feel like in a dashboard, token manipulation outside of the searches is your best bet.

View solution in original post

acharlieh
Influencer

The problem you are running into, is that unlike the main search, when using subsearches (as is the case here with join), it is not assumed that the first command will be search. There are very common use cases for subsearches where this does not hold true.

So being explicit like so would solve your immediate syntax error:

| stats count as mytext 
| eval mytext = if(("$accounttype$" = "suspected"), "All Good", "JOIN_SEARCH")
| join mytext [search index=* sourcetype=WinEventLog:Security EventCode=4648 | eval mytext="JOIN_SEARCH"]

That said... it seems you are attempting to optionally run a search in a dashboard in response to an input. Could I suggest getting rid of the join and instead just using the simple search as your search, and using tokens to control the display of the panel. (This docs page has a ton of ideas around manipulating tokens).

Alternatively, if you really feel the need to control running within the search, you could eliminate the join by flipping the condition like so:

index=* sourcetype=WinEventLog:Security EventCode=4648 | where "$accounttype$" != "suspected"

you could even tack on the All good message using appendpipe if you wanted:

... | appendpipe [stats count | eval message="All Good" | where count=0 | fields - count]

But I really feel like in a dashboard, token manipulation outside of the searches is your best bet.

*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>