Case Scenario:
Dashboard A is clicked, thus sending a token whose value is hostname ($hostnameToken$) to Dashboard B.
Dashboard B with the following query has received $hostnameToken$ , then used on | search host_name , when search | search query returns “Results not Found”.
index=S score>=7.0 | lookup A.csv IP Address as ip OUTPUTNEW Squad | lookup B.csv IP as ip OUTPUTNEW PIC, Email | lookup C.csv ip as ip OUTPUTNEW host_name
IF (true) | search host_name="$hostnameToken$"
THEN DO THIS:
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as email
values(Squad) as squad by ip
ELSE (false) | eval hostToken="$hostnameToken$" | lookup CortexHostIp2.csv host_name as hostToken OUTPUTNEW ip | search ip=ip
THEN DO THIS:
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email)
as email values(Squad) as squad by ip
The next search is carried out by converting the hostname token value to IP via eval and lookup. If both ELSE conditions are not met (value is False), then the search stops.
Question:
How to implement conditional statements into the above query? What is the right query to use?
... View more