Re: How to use conditional search

nelaturivijay · ‎01-13-2025

Hi All,

I have a main search where name1 filed will have multiple values
I need to run sub search based on the value of name1.
The structure goes like this:
mail_search
which has name1=a
sub search
if name1=a
then run search1
if name1=b
then run search2

I have tried this with the following code:

| makeresults | eval name1="a" 
| eval condition=case(name1="a", "index=_internal | head 1 | eval val=\"Query for a1\" | table val", 
name1="b", "index=_internal | head 1 | eval val=\"Query for b\" | table val", 1=1, "search index=_internal | head 1 | eval val=\"Default query\" | table val")
|table condition
| map search=$condition$

I am getting the following error

Unable to run query '"index=_internal | head 1 | eval val=\"Query for a1\" | table val"'.

yuanliu · ‎01-14-2025

First, map is usually not the solution to the problem you are trying to solve.

Confusingly, everyone of the three searches will result in a predetermined string value of a single field. Why bother with index=_internal? If you are just trying to make a point of map, you can compose them with makeresults just as easily.

If you really want to use map, study the syntax and examples in map. The whole idea of map is to NOT use case function. To produce the result you intended, here is a proper construct:

| makeresults | eval name1 = mvappend("c", "b", "a")
| mvexpand name1
| map search="search index=_internal
  | head 1
  | eval val=if(\"$name1$\" IN (\"a\", \"b\"), \"Query for $name1$\", \"Default query\")
  | table val"

This is the output no matter what data you have in _internal.

val

Default query

Query for b

Query for a

However, there are often much easier and better ways to do this. To illustrate, forget val="Query for a". Let's pick more realistic mock values "info", "warn". This is a construct using map.

| makeresults | eval searchterm = mvappend("info", "warn", "nosuchterm")
| mvexpand searchterm
| map search="search index=_internal log_level=\"$searchterm$\"
  | stats count by log_level
  | eval val=if(\"$searchterm$\" IN (\"info\", \"warn\"), \"Query for $searchterm$\", \"Default query\")"

If you examine _internal events, you will know that, even though searchterm is given three values, the above should only give two rows, like

log_level	count	val
INFO	500931	Query for info
WARN	17262	Query for warn

However, the syntax of map makes the search much harder to maintain. Here is an alternative using subsearch. (There are other alternatives based on actual search term and data characteristics.)

index=_internal
    [makeresults
    | eval searchterm = mvappend("info", "warn", "nosuchterm")
    | fields searchterm
    | rename searchterm as log_level]
| stats count by log_level
| eval val = if(log_level IN ("INFO", "WARN"), "Query for " . log_level, "Default query")

If you apply this to the exact same time interval, it will give you exactly the same output.

Hope this helps.

kiran_panchavat · ‎01-13-2025

@nelaturivijay Please have a look.

https://docs.splunk.com/Documentation/Splunk/9.4.0/Viz/tokens#Using_tokens_in_a_search

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

ITWhisperer · ‎01-13-2025

If you re trying to do this in a dashboard, try setting a token to the variable part of the search and using that

How to use conditional search

eval

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...

Are you a member of the Splunk Community?

How to use conditional search

eval

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...