Solved: how can i search an existing value from resultsear...

sfatnass · ‎06-18-2015

hello everybody,

i'm trying to fetch if a value existing on index or not.

after search result i get a new filtering fields and i want to know if i can use |eval test=if(index,"exist","notexist").

my exemple search::
index=A
|field blabla1 blabla2 blabla3
[dbquery "DB" "select..........." |fields + blabla]
[dbquery "DB" "select .........." |fields + blabla2]

|eval test=if(index=B,blabla3,"KO") ==> here is my problem

if any body have any idea thx

woodcock · ‎06-18-2015

The problem is that you have explicitly discluded the thing you are testing. Your search starts out with index=A so all of your initial results set will have ONLY index values of A. You then later say if(index=B) which will ALWAYS be false. You need to start out with something broader like (index=A) OR (index=B).

View solution in original post

woodcock · ‎06-18-2015

The problem is that you have explicitly discluded the thing you are testing. Your search starts out with index=A so all of your initial results set will have ONLY index values of A. You then later say if(index=B) which will ALWAYS be false. You need to start out with something broader like (index=A) OR (index=B).

vganjare · ‎06-18-2015

Can you please explain more about the problem? Try to create an example using _internal index.

how can i search an existing value from resultsearch on index?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

how can i search an existing value from resultsearch on index?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers