Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use IF....ELSE in Splunk

Newbie_punk
New Member
‎08-19-2023 06:24 PM

Hello 

I'm trying to figure out How can I use kinda if...else condition in my Splunk query.

I've set up two metrics, which are sending data to Splunk. Each matrix have different index value. 
For Example: For Matrix A the index is "index=aData" and for Metric B index is "index=bData". Currently in Splunk I'm seeing duplicate data because both metrics are sending same value. So what I'm trying to achieve is: 

1. First look for data if coming from "index=aData"
2. If able to see data from index "aData" show me the results 
3. else check the data from "bData" (Not looking for "OR " condition) 

Results should show the data only from 1 index to avoid duplicity. 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-20-2023 08:20 AM

Hi @Newbie_punk,

SPL (Splunk Programming Language) isn't a procedural language, so you havent a construct like if then else.

But you can assign a value to a field  based on the condition you defined, e.g.

if the same field has different name (e.g. metricA and metricB), you can use:

index=aData OR index=bData
| eval metric=coalesce(metricA,metricB)
| table metric

or use the if condition in the eval command

index=aData OR index=bData
| eval metric=if(index=indexA,metricA,metricB)
| table metric

Adapt ths approach to your condition.

Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-20-2023 01:16 AM

Describing problems in generic terms is not always helpful as it just leads to more questions about what you are trying to do and with what.

For example, one way of interpreting what you have said could be resolved like this

<search indexA>
| appendpipe [|stats count as _count | where _count = 0 | search indexB]
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎08-19-2023 07:02 PM

The best solution will depend on some other characteristics of the two datasets, and what exactly you plan to do with the surviving data.  A generic approach, however, is to use exactly "OR".  The idea is to retrieve all data, then retain data from one of indices.  Suppose you REALLY want to present all raw data (instead of using stats for presentation), you can do

index IN (aData, bData) <other criteria>
| eventstats values(index) as indices
| where index = mvindex(indices, 0)

 

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top