Re: help me with search command

sravankaripe · ‎03-24-2017

-------| eval test=if(condition,"INFO","Error") | search test

if condition is true the search must be behave as
--------| search "INFO"

else
--------| search "Error"

please help me with this

woodcock · ‎03-24-2017

Like this (with a subsearch):

... | search [|noop | stats count AS search | eval search=if(condition, "INFO, "Error") | return $search]

niketn · ‎03-24-2017

@sravankaripe... You would actually need to provide details around what is your conditions and what is the event when the condition will be triggered.

Please see a example below where I am running a dummy search to set my token. Then I am using the token in the actual search as search query filter. There are multiple possibilities and solutions.

  <search>
    <query>| makeresults
| eval log_level="INFO"
| table testData</query>
  <preview>
    <eval token="queryString">if(log_level=="INFO","INFO","ERROR")</eval>
  </preview>
  </search>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype="splunkd" log_level="$queryString$"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>          
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

kiran331 · ‎03-24-2017

use tokens

-------| eval test=if(condition,"INFO","Error") | search $test$

help me with search command

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor