Re: If Else functionality to pick different subsea...

pbarbuto · ‎06-16-2018

Depending on what month it is I need to run a different sub-search.

index=foo source=bar
    [| inputlookup servers.csv where myfield="this" 
    | eval nowMonth=strftime(now(), "%m") 
    | where nowMonth=06
    | eval host=name
    | fields host] 
    [| inputlookup servers.csv where myfield="that" 
    | eval nowMonth=strftime(now(), "%m") 
    | where nowMonth!=06 
    | eval host=name
    | fields host]

So basically if its the current month I want to run the first inputlookup, and if its NOT the current month I want to run the 2nd inputlookup. is this doable?

FrankVl · ‎06-16-2018

Think that can be done in one go, like this:

index=foo source=bar
     [| inputlookup servers.csv  
     | eval nowMonth=strftime(now(), "%m") 
     | eval choice = if(nowMonth="06","this","that")
     | where myfield=choice
     | eval host=name
     | fields host]

If Else functionality to pick different subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation