Solved: how can i search an existing value from resultsear...

sfatnass · ‎06-18-2015

hello everybody,

i'm trying to fetch if a value existing on index or not.

after search result i get a new filtering fields and i want to know if i can use |eval test=if(index,"exist","notexist").

my exemple search::
index=A
|field blabla1 blabla2 blabla3
[dbquery "DB" "select..........." |fields + blabla]
[dbquery "DB" "select .........." |fields + blabla2]

|eval test=if(index=B,blabla3,"KO") ==> here is my problem

if any body have any idea thx

woodcock · ‎06-18-2015

The problem is that you have explicitly discluded the thing you are testing. Your search starts out with index=A so all of your initial results set will have ONLY index values of A. You then later say if(index=B) which will ALWAYS be false. You need to start out with something broader like (index=A) OR (index=B).

View solution in original post

woodcock · ‎06-18-2015

The problem is that you have explicitly discluded the thing you are testing. Your search starts out with index=A so all of your initial results set will have ONLY index values of A. You then later say if(index=B) which will ALWAYS be false. You need to start out with something broader like (index=A) OR (index=B).

vganjare · ‎06-18-2015

Can you please explain more about the problem? Try to create an example using _internal index.

how can i search an existing value from resultsearch on index?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

how can i search an existing value from resultsearch on index?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?