Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

change search based on the event's field's value

matansocher
Contributor
‎03-04-2018 07:08 AM

Hi,

I have a very big data set, and I want to return different fields from it, based on a value of another field (2 values possible).
if that field's (fieldA) value is 'aaa' I want to take the search to one place, and if the value is 'bbb' to another place, but at the end I want to go through the data only once.

now, I have a search for each of the options, which I concatenate them at their end:
index=main fieldA='aaa'
| set of commands
and
index=main fieldA='bbb'
| different set of commands

by that I am running on the same data twice. I want to run over the data once with something like:

index=main
| if(fieldA='aaa', set of commands, different set of commands)

I want to take care of the event differently for the two values possible of fieldA.

Is there an option to do that, or I will have to run over the data set twice?

Reply

p_gurav
Champion
‎03-05-2018 01:05 AM

Hi,

You can try something like:

index=main
| if(fieldA='aaa', [set of commands], [different set of commands])

Refer this links:
https://answers.splunk.com/answers/229204/how-to-write-a-search-where-if-a-specific-value-fo.html

0 Karma
Reply

matansocher
Contributor
‎03-05-2018 02:03 AM

I have given a look at that question, but it is still going through the results twice.

index=* 
| eval result=if( host != "myPc" , 
    [ search index=_
    | stats dc(host) as cc 
    | return $cc] , 
    [ search index=_ 
    | stats c(source) as cs 
    | return $cs] ) 
| table result

'search index=_' is there twice

0 Karma
Reply

elliotproebstel
Champion
‎03-04-2018 08:34 AM

Could you perhaps describe the overall problem statement and give some more details? It's quite likely that the community can give more complete support if we have a better understanding of your goals and a better sense of how you're trying to approach them.

0 Karma
Reply

matansocher
Contributor
‎03-05-2018 12:27 AM

edited the question, I think that now it has a deeper explanation of the problem

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...