3

I have a use-case where I want to set the value to a variable based on the condition and use that variable in the search command.

Example:- I want to check the condition 

    if account_no=818

    then var1="vpc-06b"

    else var1="*"

I tried 

...|eval val1=case(acc_no==818,"vpc-06b",acc_no!=818,"*")|search vpc_id=val1

but I am not getting any event. If I am trying 

...|search vpc_id=vpc-06b

then, as a result, I am getting the expected output.

Pardeep
  • 2,153
  • 1
  • 17
  • 37
YouBee
  • 1,981
  • 1
  • 15
  • 16

2 Answers2

2

Do you have the field vpc_id extracted? If you do the search ... | stats count by vpc_id, do you get results split by vpc_id?

The reason I ask this is that your second search shouldn't work, ...|search vpc_id=vpc-06b. What I expect would work, if you had the field extracted, would be ...|search vpc_id="vpc-06b". If the second case works, then your logic with the case statement is correct.

I'm going to assume that the field has not been extracted properly. In that case, I suggest you try the following. I use the rex command to force the field to be extracted, then use that in the comparison. 

... | rex field=_raw "vpc_id=(?<vpc_id>\S+)" | eval val1=case(acc_no==818,"vpc-06b",acc_no!=818,"*") | where vpc_id=val1
Simon Duff
  • 2,631
  • 2
  • 7
  • 15
  • Hi Simon, vpc_id field is properly extracted, yes I am getting the result split by vpc_id. Actually the problem which I found here is I have multiple values of vpc_id which i need to set to the variable using OR like for example ...| eval val1=case(acc_no==818,"vpc-06b OR vpc_067b",acc_no!=818,"*") | where vpc_id=val1. As we give in the normal search lets say val1="vpc-06b" OR "vpc_067b" – YouBee Oct 30 '19 at 12:21
  • if I am trying this query |search vpc_id="vpc-078" OR "vpc-02c" then it works as expected. Same way I want the result to get populated using the condition specified. – YouBee Oct 30 '19 at 12:29
  • It would be great if You can help me out. Thanks in advance Simon. – YouBee Oct 30 '19 at 12:33
  • I think you're better off using a subsearch. I will post that as a separate answer. – Simon Duff Oct 30 '19 at 22:57
  • Actually, could you post your entire use-case and some sample events? I'm not sure how the account number is related to the other events you are looking for. – Simon Duff Oct 30 '19 at 23:07
  • The usecase is I have to search for only those events which have field vpc_id="vpc-078" OR "vpc-02c" when acc-number =818. For rest of the accounts i have to search for all the events regardless of the vpc-id. – YouBee Oct 31 '19 at 04:50
  • So you are looking for 2 fields in the same event? In that case you want `(acc-number=818 AND (vpc_id="vpc-078" OR vpc_id="vpc-02c" )) OR (acc-number!=818 AND vpc_id="*")` – Simon Duff Oct 31 '19 at 07:03
1
index=... (acc-number=818 AND (vpc_id="vpc-078" OR vpc_id="vpc-02c" )) OR (acc-number!=818 AND vpc_id="*")

(You don't actually need the ANDs, I'm just including them to make it clearer. The following is also acceptable.

index=... (acc-number=818 (vpc_id="vpc-078" OR vpc_id="vpc-02c" )) OR (acc-number!=818 vpc_id="*")
Simon Duff
  • 2,631
  • 2
  • 7
  • 15
  • Any idea of this : https://stackoverflow.com/questions/58705525/how-to-use-boto3-in-splunk-enterprise – YouBee Nov 05 '19 at 08:49