format output based on IF condition

Splunk Search

Query 1:

| pivot mongo ServerStatus max(currentConnections) SPLITCOL host 
| fieldsummary 
| fields field, max 
| rename field as host, max as max_host 
| stats sum(max_host) as Total 
| search Total>20000

This above is displaying the total number of connections as expected

i want to add a if condition like whenever i met this condition i want to display connections per host as per below query. i tried including the search inside but this is not helping in my case

eval flag=if(condition, [SEARCH QUERY], null())

Query 2:

| pivot mongo ServerStatus max(currentConnections) SPLITCOL host 

| fieldsummary | fields field , max

| rename field AS host, max AS max_host

| eval host=host." (".max_host.")" 

| fields host

| mvcombine delim=" , " host

| nomv host

Result:

host1 (1414)

host2 (1415)

host3 (1416)

host4 (3532)

Both Queries are working as expected but i'm looking if i can connect them on condition like execute query 2 only on condition of Total connections exceed.

Any help is appreciated , thank you

Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...

Are you a member of the Splunk Community?