Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search using IF statement

tech_soul
New Member
‎10-01-2019 12:48 AM

Hi All,

Could you please help me with " if "query to search a condition is true then need to display some values from json format .
please i m brand new to splunk ..

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-01-2019 01:00 AM

Hi tech_soul,
without othe information is difficoult to help you! could you share more information?

Anyway, you can use the if condition in an eval command to set a variable to use for searches, for additioan information see https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/ConditionalFunctions .

E.g. if I want to set a value OK if a field has a value less than 100 and NOK if the value is more than 100, you could create a search like this:

index=my_index
| eval my_check=if(my_field>100,"NOK","OK")
| table _time my_check

Then you can use this value for additional conditions as search or where.

Bye.
Giuseppe

Reply

LizAndy123
Path Finder
‎01-16-2025 04:26 PM

I have a question

I Did this on an event and basically did the If command - that if above 15 mins then Output is BAD and if under 15 the. output is GOOD - This works.

My question is I now want to search only the BAD and alert - so guess how do I start another search after I have run eval and got my BAD output?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-16-2025 05:16 PM

FWIW, it's usually better to ask a new question than to pile on to a 4-year-old thread.

To keep only the BAD events, try one of these

index=my_index
| eval my_check=if(my_field>100,"NOK","OK")
| where my_check="NOK"
| table _time my_check

or

index=my_index
| where my_field>100
| table _time my_field

 

 

---
If this reply helps you, Karma would be appreciated.
Reply

yshen
Communicator
‎10-12-2020 04:05 PM

Thanks for the concise example of if expression.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...