FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Conditional Parsing

mario_rwwa
Frequent Guest

‎23 May 2024 02:24 AM - last edited on ‎24 May 2024 09:37 AM by Community Team

Currently I'm dealing with a logfile which outputs different data depending on the action which has occurred, one parse statement cannot handle all the options so I have multiple parse statements.

I need to combine it all into one table at the end, but the only option I've found so far is via multiple fetch & appends, which feels very inefficient and clunky. Is there are way to streamline this sort of query?

As an example:

 

 

 

 

fetch logs, from: -3d
|  filter dt.host_group.id == "myTag"
|  filter matchesPhrase(content, "myFirstTextToMatch")
| parse content, "DATA blah blah blah parse out fields here"
| append  [fetch logs, from: -3d
  |  filter dt.host_group.id == "myTag"
  |  filter matchesPhrase(content, "mySecondTextToMatch")
  |  parse content, "DATA blah blah blah parse out second pattern fields here"
    | append  [fetch logs, from: -3d
      |  filter dt.host_group.id == "myTag"
      |  filter matchesPhrase(content, "myThirdTextToMatch")
      |  parse content, "DATA blah blah blah parse out third pattern fields here"
... and so on

 

 

 

 

Is there a way to use a conditional operator here maybe?

ie, IF matches FirstText then parse using First pattern ELSE IF matches SecondText parse using Second pattern...

Labels:
Reply
0 REPLIES 0
Ask a question

Featured Posts