Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- help me with search command
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
help me with search command
sravankaripe
Communicator
03-24-2017
01:39 PM
-------| eval test=if(condition,"INFO","Error") | search test
if condition is true the search must be behave as
--------| search "INFO"
else
--------| search "Error"
please help me with this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-24-2017
01:54 PM
Like this (with a subsearch):
... | search [|noop | stats count AS search | eval search=if(condition, "INFO, "Error") | return $search]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
03-24-2017
01:52 PM
@sravankaripe... You would actually need to provide details around what is your conditions and what is the event when the condition will be triggered.
Please see a example below where I am running a dummy search to set my token. Then I am using the token in the actual search as search query filter. There are multiple possibilities and solutions.
<search>
<query>| makeresults
| eval log_level="INFO"
| table testData</query>
<preview>
<eval token="queryString">if(log_level=="INFO","INFO","ERROR")</eval>
</preview>
</search>
<row>
<panel>
<table>
<search>
<query>index=_internal sourcetype="splunkd" log_level="$queryString$"</query>
<earliest>-15m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kiran331
Builder
03-24-2017
01:42 PM
use tokens
-------| eval test=if(condition,"INFO","Error") | search $test$
Related Topics
Get Updates on the Splunk Community!
New Year, New Changes for Splunk Certifications
As we embrace a new year, we’re making a small but important update to the Splunk Certification ...
[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables
[Puzzles] Solve, Learn, Repeat: Unmerging HTML TablesFor a previous puzzle, I needed some sample data, and ...
Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...
As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...
