Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

format output based on IF condition

r0ckyte
New Member
‎06-17-2020 04:52 AM

Hi 

Query 1:

 

| pivot mongo ServerStatus max(currentConnections) SPLITCOL host 
| fieldsummary 
| fields field, max 
| rename field as host, max as max_host 
| stats sum(max_host) as Total 
| search Total>20000

 

 

This  above is displaying  the total number of connections as expected

i want to add a if condition like whenever i met this condition i want to display connections per host as per below query. i tried including the search inside but this is not helping in my case

 

eval flag=if(condition, [SEARCH QUERY], null())

 

Query 2:

 

 

| pivot mongo ServerStatus max(currentConnections) SPLITCOL host 

| fieldsummary | fields field , max

| rename field AS host, max AS max_host

| eval host=host." (".max_host.")" 

| fields host

| mvcombine delim=" , " host

| nomv host

 

 

 

Result:

host1 (1414)
host2 (1415)
host3  (1416)
host4  (3532)
 

Both Queries are working as expected but i'm looking if i can connect them on condition like execute query 2 only on condition of Total connections exceed.

Any help is appreciated , thank you

Labels (2)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...