I'm trying to create a conditional which will search using one of two search terms based on an IF statement.
A simplified example of what I'm trying to do looks like this:
IF "(condition)",then, "Search1", else, "Search2"
For context, I'm trying to check to see if an IP matches a CIDR range (private address). If there's a match, execute Search1. If not, execute Search2.
I'm new to SPL, coming from a scripting background, so I'm not sure if this method is even possible in Splunk.
Thank you!
Edit: Here is more information
The IF statement (checking if token $ip$ is an internal address:
if((cidrmatch("10.0.0.0/8",$ip$) OR cidrmatch("172.0.0.0/8",$ip$)), Search1, else Search2)
Search1 (filtering out other internal addresses, if token $ip$ is an internal address):
sourcetype=example src=$ip$ | where dest!="10.0.0.0/8" | where dest!="172.0.0.0/8"
Search 2 (not filtering internal addresses, if token $ip$ is an external address):
sourcetype=example src=$ip$
I've excluded the sorting commands etc that will be appended, since I do not believe they would affect the logic here.
... View more