If Else functionality to pick different subsearch

pbarbuto · ‎06-16-2018

Depending on what month it is I need to run a different sub-search.

index=foo source=bar
    [| inputlookup servers.csv where myfield="this" 
    | eval nowMonth=strftime(now(), "%m") 
    | where nowMonth=06
    | eval host=name
    | fields host] 
    [| inputlookup servers.csv where myfield="that" 
    | eval nowMonth=strftime(now(), "%m") 
    | where nowMonth!=06 
    | eval host=name
    | fields host]

So basically if its the current month I want to run the first inputlookup, and if its NOT the current month I want to run the 2nd inputlookup. is this doable?

FrankVl · ‎06-16-2018

Think that can be done in one go, like this:

index=foo source=bar
     [| inputlookup servers.csv  
     | eval nowMonth=strftime(now(), "%m") 
     | eval choice = if(nowMonth="06","this","that")
     | where myfield=choice
     | eval host=name
     | fields host]

If Else functionality to pick different subsearch

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

If Else functionality to pick different subsearch

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?