Splunk Search

Implementing condition in search


This is the algorithm of my query. Could someone help me in constructing it.

If (A happens)
Then ( Execute B Query)

"Here A is a query like Host=A OR B, error_happened"
"B is a query like Host=A OR B, usage
Show in stats/chart, if 'apple' and 'error' found'
if 'orange' and 'error' found
if 'grape' and 'error 'found'"
Apple/Orange/Grape/Error/Error_happened are not Splunk fields they are just some string/keyword in events.
And B query should only execute if A query return any events/lines. If A query returns no events/lines then B shouldn't execute.

0 Karma


You could use a subsearch, and return null if your condition is unmet. Like this:

[search host=fruitbasket rotten  
| stats count 
| eval search=if(count>0,"bad AND (orange OR apple)",null) 
| fields search 
| format "" "" "" "" "" "" ]
0 Karma


Thanks , I was looking something exactly like this.. a subsearch kind of thing..

In #4 you have said "fieds search". What does this line do ?
And what about #5 | format "" "" <-- does it mean to format the output ?

Would this give the count (timechart) type stating how many events we had with( apple AND bad) & (Orange AND bad) ?

0 Karma


So this subsearch will return a value based on whether or not it discovers events that match host=fruitbasket rotten . If there are events it will return bad AND (orange OR apple). If there are no events it will return NOT OR ()

NOT OR () evaluates to null, so the outer search will return zero events. If you want a timechart as well, then throw a timechart command after the search like so

[search host=fruitbasket rotten  
| stats count 
| eval search=if(count>0,"bad AND (orange OR apple)",null) 
| fields search 
| format "" "" "" "" "" "" ]
| timechart count

For more information on wha the fields search and format mean have a look at the subsearch documentation http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches

0 Karma


Also if this answers your question don't forget to mark the answer as accepted!


0 Karma


The query runs without any error however It doesn't return any events. seems like it isn't finding the keywords error/orange/apple to search. I put double quote around it , but the expression gets malformed. This is to be noted that error/orange/apple are not splunk fields , but just some words found in events..

0 Karma


Which query returns no events? host=fruitbasket rotten or bad AND (orange OR apple)

0 Karma


bad AND (orange OR apple)

0 Karma


I'm a bit confused - If you do a query for bad AND (orange OR apple) on its own (without all the subsearch bit) do you get any results? If you get none then the problem is that you have no data, not that the search is being malformed.

If you think the eval is failing, try this on its own:

| eval search="bad AND (orange OR apple)"
| fields search 
| format "" "" "" "" "" ""

That's what will get sent to the main search if your condition is true

0 Karma


[search host="RAone*.jxa.com" OR host="RATwo*.jxa.com" source="/apps/BSA/data/log/bolly-*" Rotten
| stats count
| eval search=if(count>0,""error" AND ("apple" OR "orange")",null) )
| fields search
| format "" "" "" "" "" ""
| timechart count ]

When I run the queried individually (with out nesting in subserach it gives results.
But when i run them together like above I get the error "Error in 'eval' command: The expression is malformed. Expected )."

Just so as you know, rotten;error;apple;orange etc..are words found in logs, they are not Splunk fields.

0 Karma

Super Champion

you have to use eval(if) in conjunction with like() on _raw data

Refer this link, you will get an idea.

let me know if it helps!

0 Karma


Could you give me a psuedo-query using eval(if) and like/_raw ; A skeleton model query to have an idea how it should be .

0 Karma


eval (Host=A OR B, usage
Show in stats/chart, if 'apple' and 'error' found'
if 'orange' and 'error' found
if 'grape' and 'error 'found'"
| stats count by usage) IF (Host=A OR B, "error_happened")

i.e. eval B IF (A happens).

Is this how it should be composed ?

0 Karma

Super Champion

I am not getting what do you want.
Can you please provide some sample input data and also tell us what output do you want?

0 Karma


Let me put it in another way,

If (Host = "fruitbasket" "rotten")
Then search ("apple" AND "bad") and ("orange" AND "bad")
and show it in some stats.

What I mean here is, if the initial search (Host = "fruitbasket" "rotten") returns any result then I want to search for events containing keywords ("apple" AND "bad") and ("orange" AND "bad")..etc.

Hope I am clear enough.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...