I have a search which has a field (say FIELD1). I would like to search the presence of a FIELD1 value in subsearch. If that FIELD1 value is present in subsearch results, then do work-1 (remaining search will change in direction-1), otherwise do work-2 (remaining search will change in direction-2).
pseudo search query:
index="sample_index" sourcetype="sample_sourcetype"| fields FIELD1 | search FIELD1 in [my sub search here| fields FIELD1] | if FIELD1 is present in subsearch, then do work-1, If not do work-2.
I looked at https://answers.splunk.com/answers/31842/why-cant-i-use-subsearch-in-the-case-function-in-the-eval-c...
But, this is talking about comparing single value with single value from subsearch. What I am looking is finding FIELD1 value in multiple results of subsearch.
Any suggestions to proceed further?
Hi, I think you can do it like this:
1- you write a search1 that track FIELD1 (you can use a regex for that ) and put the result in a variable let's say VAR
2- you pipe search1 and use eval command with if() .
3- in the funtion if( ) , at the place of conditionals results you put subsearches.
4- all the previous steps will look like this:
index=.... sourcetype=... search1 |eval result=if( VAR="FIELD1" ,[subsearch1|return $result1 ] , [subsearch2l return $result2] ) | table result
5-note that if you have many conditions you can imbricate if() like this:
if( condition, if(....), [ ] )
6- this is a small example using splunk internal event:
index=* | eval result=if( host != "myPc" , [search index=* |stats dc(host) as cc|return $cc] , [ search index=_* |stats c(source) as cs |return $cs] ) | table result
I know this question is old, but you could do it using the command map (no, it doesn't have to do with geografic maps)..
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Map
Hi, I think you can do it like this:
1- you write a search1 that track FIELD1 (you can use a regex for that ) and put the result in a variable let's say VAR
2- you pipe search1 and use eval command with if() .
3- in the funtion if( ) , at the place of conditionals results you put subsearches.
4- all the previous steps will look like this:
index=.... sourcetype=... search1 |eval result=if( VAR="FIELD1" ,[subsearch1|return $result1 ] , [subsearch2l return $result2] ) | table result
5-note that if you have many conditions you can imbricate if() like this:
if( condition, if(....), [ ] )
6- this is a small example using splunk internal event:
index=* | eval result=if( host != "myPc" , [search index=* |stats dc(host) as cc|return $cc] , [ search index=_* |stats c(source) as cs |return $cs] ) | table result
I have run a quick try as your approach but it got only one field return and I need to remove all non streaming command. Do you have another approach to advice?
|multisearch
[search <your base search1> here you track FIELD1 and put the result in VAR1]
[search <your base search> here you track FIELD1 and put the result in VAR2 ]
| eval result=if(VAR1==VAR2, [SEARCH3|return $result1] ,[SEARCH3|return $result2])
take a look on return command in Search Reference manual.
This seems to be the approach.
My Query had issues, because of other searches (SEARCH3 and SEARCH4).
Thanks for your time Stephane_cyrille
Thanks for your response @stephane_cyrille, What I was looking is slightly different.
Once I got FIELD1 from search1, I need to search for that value in a subsearch.
If FIELD1 is found in subsearch then proceed with SUBSEARCH1, if not SUBSEARCH2.
So, instead of simply comparing apple to apple (host!="mypc"), Is there a way I can search for FIELD1 value in subsearch?
Explaining In another detailed way, I have 4 searches (SEARCH1 ,SEARCH2 ,SEARCH3 ,SEARCH4).
1. I will get FIELD1 from SEARCH1.
2. Search FIELD1 values in SEARCH2, If found do SEARCH3, If not SEARCH4
Thanks for your time and interest on this. Truly appreciated.
Early response will be much more helpful for me.
Hi, can someone please provide a query for this? I am also looking for something similar. I want a search to retrieve value(VAR1) of FEILD1 and then write search2 with that value(VAR1).