Splunk Search

How to write a search where if a specific value for FIELD1 is present in subsearch results, run Search1, but if not, run Search2?

Communicator

I have a search which has a field (say FIELD1). I would like to search the presence of a FIELD1 value in subsearch. If that FIELD1 value is present in subsearch results, then do work-1 (remaining search will change in direction-1), otherwise do work-2 (remaining search will change in direction-2).

pseudo search query:

index="sample_index" sourcetype="sample_sourcetype"| fields FIELD1 | search FIELD1 in [my sub search here| fields FIELD1] | if FIELD1 is present in subsearch, then do work-1, If not do work-2.

I looked at https://answers.splunk.com/answers/31842/why-cant-i-use-subsearch-in-the-case-function-in-the-eval-c...
But, this is talking about comparing single value with single value from subsearch. What I am looking is finding FIELD1 value in multiple results of subsearch.

Any suggestions to proceed further?

1 Solution

Hi, I think you can do it like this:
1- you write a search1 that track FIELD1 (you can use a regex for that ) and put the result in a variable let's say VAR

2- you pipe search1 and use eval command with if() .

3- in the funtion if( ) , at the place of conditionals results you put subsearches.

4- all the previous steps will look like this:

index=.... sourcetype=... search1 |eval result=if( VAR="FIELD1" ,[subsearch1|return $result1 ] , [subsearch2l return $result2] ) | table result

5-note that if you have many conditions you can imbricate if() like this:

if( condition, if(....), [ ] )

6- this is a small example using splunk internal event:

index=* | eval result=if( host != "myPc" , [search index=* |stats dc(host) as cc|return $cc] , [ search index=_* |stats c(source) as cs |return $cs] ) | table result

View solution in original post

Path Finder

I know this question is old, but you could do it using the command map (no, it doesn't have to do with geografic maps)..
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Map

0 Karma

Hi, I think you can do it like this:
1- you write a search1 that track FIELD1 (you can use a regex for that ) and put the result in a variable let's say VAR

2- you pipe search1 and use eval command with if() .

3- in the funtion if( ) , at the place of conditionals results you put subsearches.

4- all the previous steps will look like this:

index=.... sourcetype=... search1 |eval result=if( VAR="FIELD1" ,[subsearch1|return $result1 ] , [subsearch2l return $result2] ) | table result

5-note that if you have many conditions you can imbricate if() like this:

if( condition, if(....), [ ] )

6- this is a small example using splunk internal event:

index=* | eval result=if( host != "myPc" , [search index=* |stats dc(host) as cc|return $cc] , [ search index=_* |stats c(source) as cs |return $cs] ) | table result

View solution in original post

|multisearch 
 [search <your base search1> here you track FIELD1 and put the result in VAR1] 
 [search <your base search> here you track FIELD1 and put the result in VAR2 ] 
 | eval result=if(VAR1==VAR2, [SEARCH3|return $result1]  ,[SEARCH3|return $result2])

take a look on return command in Search Reference manual.

Communicator

This seems to be the approach.
My Query had issues, because of other searches (SEARCH3 and SEARCH4).

Thanks for your time Stephane_cyrille

0 Karma

Communicator

Thanks for your response @stephane_cyrille, What I was looking is slightly different.

Once I got FIELD1 from search1, I need to search for that value in a subsearch.
If FIELD1 is found in subsearch then proceed with SUBSEARCH1, if not SUBSEARCH2.

So, instead of simply comparing apple to apple (host!="mypc"), Is there a way I can search for FIELD1 value in subsearch?

Explaining In another detailed way, I have 4 searches (SEARCH1 ,SEARCH2 ,SEARCH3 ,SEARCH4).
1. I will get FIELD1 from SEARCH1.
2. Search FIELD1 values in SEARCH2, If found do SEARCH3, If not SEARCH4

Thanks for your time and interest on this. Truly appreciated.
Early response will be much more helpful for me.

0 Karma