Hello,
I am wondering if it possible to do a search within an "if" statement. I have tried what I have in the search below, but it does not appear to be working. Any assistance is helpful. Please be aware this is just a test search to see if this is possible, the search within the if statement will be changed at a later time.
|inputlookup TEST.csv
| lookup Valid_Email mail as Recipient OUTPUT mail as Valid_User type as type dn as DN
| where !isnull(Valid_User) AND type="Group"
| fields - Valid_User message_id
|ldapfilter search="(memberOf=$DN$)" attrs="mail"
|rename mail AS Recipient
|eval type1=if(type="Group", [search index=[INDEX] host=[HOST] |table host], "")
|table Recipient Subject type
Thanks.
As long as you search is returning a string/number, in single row that can be assigned/used in eval expression, it'll work.
|inputlookup TEST.csv
| lookup Valid_Email mail as Recipient OUTPUT mail as Valid_User type as type dn as DN
| where !isnull(Valid_User) AND type="Group"
| fields - Valid_User message_id
|ldapfilter search="(memberOf=$DN$)" attrs="mail"
|rename mail AS Recipient
|eval type1=if(type="Group", [search index=[INDEX] host=[HOST] |table host | head 1 | eval search="\"".host."\"" | table search ], "")
|table Recipient Subject type
So the subsearch within eval is returning just single string value, enclosed in double quotes.
I have the same issue, however my search returns a table. Based on the if condition one of two searches is executed and the return type in both cases is a table. Any suggestions?
Unfortunately, all my numerous tests show that the query in the test case will run regardless of the tests results.
I ran the search you provided(I changed some of the wording to fit my environment) I keep getting this error. Error in 'eval' command: The expression is malformed. An unexpected character is reached at ') , "")'. Any idea as to why this is happening?
I think you need to use return host
or return $host
after head 1 |
instead of the eval search ... | table search
something like
|eval type1=if(type="Group", [search index=[INDEX] host=[HOST] |table host | head 1 | return host], "")
or
|eval type1=if(type="Group", [search index=[INDEX] host=[HOST] |table host | head 1 | return $host], "")
Your second search worked. We have to put return $field.