Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- help me with search command
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
help me with search command
sravankaripe
Communicator
03-24-2017
01:39 PM
-------| eval test=if(condition,"INFO","Error") | search test
if condition is true the search must be behave as
--------| search "INFO"
else
--------| search "Error"
please help me with this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-24-2017
01:54 PM
Like this (with a subsearch):
... | search [|noop | stats count AS search | eval search=if(condition, "INFO, "Error") | return $search]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
03-24-2017
01:52 PM
@sravankaripe... You would actually need to provide details around what is your conditions and what is the event when the condition will be triggered.
Please see a example below where I am running a dummy search to set my token. Then I am using the token in the actual search as search query filter. There are multiple possibilities and solutions.
<search>
<query>| makeresults
| eval log_level="INFO"
| table testData</query>
<preview>
<eval token="queryString">if(log_level=="INFO","INFO","ERROR")</eval>
</preview>
</search>
<row>
<panel>
<table>
<search>
<query>index=_internal sourcetype="splunkd" log_level="$queryString$"</query>
<earliest>-15m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kiran331
Builder
03-24-2017
01:42 PM
use tokens
-------| eval test=if(condition,"INFO","Error") | search $test$
Related Topics
Get Updates on the Splunk Community!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Wednesday, May 29, 2024 | 11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...
