Splunk Search

help with appendcols needed



I have quite long SPL search in my alert and one part of it looks as follows:

| eval rcatrigger = ""
| appendcols

| noop search_optimization=false
| dbxquery query="myQueryText"   
     |eval rcatrigger=$rcatrigger$| fields - rcatrigger

Now, the result is a table, which columns should be appended to another table from the processing happening earlier. My questions would be:
- how do I make it conditional in a way, that the dbxquery should be executed / columns appended only when the rcatrigger variable is not empty, say="1" ? Please see my try above, not workig ...
- the result columns are appended in the lexicographical order to the previous columns, I mean at the end they are mixed by the alphabet order. Is there any way to get the appended cols just on the right side? Unfortunately I cannot sort it later on with table command because the above dbxquery is not always the same - there will be several depending on the rcatrigger, so I do not know what columns will there be returned.

Kind Regards,

0 Karma


I don't think you can pass variables from parent query to subquery (appendcols) as subquery executes first.

You can try 'map' command for your use case.


0 Karma


Thank you.

I am not fixed on passing parameter from parent to subquery, what I want to achieve is conditional execution of the appendcols when the rcatrigger=1.
How would I do this?

Kind Regards,

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!