Splunk Search

IF statements to determine which table to format in

aherrington
Path Finder

Hi there,

I'm wondering if it's possible to format a Splunk query like so:

IF results contains "this string" THEN use these formatting commands OR
IF results contains "a different string" THEN use these formatting commands

And if possible pull them all together in one table.

If it makes it easier to explain, I will try and use network logs as an example

e.g. say the logs are as follows:

scrip=10.0.0.1 08/31/2018 11:23:34 PM (GMT)
scrip=10.0.0.2 07-09-2018 23:33:57

index=network scrip=10.0.0.1 | convert time format OR index=network scrip=10.0.0.2 | different time format conversion | table bothtimeconversion

Ideally the final table would look like this:

scrip bothtimeconversion
10.0.0.1 09/07/2018 23:23:34
10.0.0.2 31/08/2018 23:33:57

I have already sorted the time conversion format, it's essentially how I would structure the different commands based on the different source IP.

Thank you in advance

0 Karma
1 Solution

aherrington
Path Finder

Hi all,

I used strcat to solve my problem in the end

https://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/St

I decided my best method would be complete the time conversions separately as 2 fields, then combine them in to one field.

View solution in original post

0 Karma

aherrington
Path Finder

Hi all,

I used strcat to solve my problem in the end

https://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/St

I decided my best method would be complete the time conversions separately as 2 fields, then combine them in to one field.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@aherrington,

If there are fixed number of source ips then you could use case statement.

For e.g.

index=network |eval my_formatted_time=case(scrip="10.0.0.1",strftime(my_time_variable, "MY_SOURCE1_TIME_FORMAT",scrip="10.0.0.2",strftime(my_time_variable, "MY_SOURCE2_TIME_FORMAT",1==1,"my_time_variable")|table scrip,my_formatted_time
Happy Splunking!
0 Karma

aherrington
Path Finder

Thank you for your assistance, I will attempt this shortly, I think I may have to adapt some things but looks like it should work.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...