topic Re: Use 2 related tokens to create as 2 conditions in Splunk Search

How to use two related tokens to create as two conditions?

Jouman — Wed, 10 May 2023 17:02:46 GMT

Hi all,

I need to provide 2 fitlers, one for item_id and the other one for item_folder_name.

The user will enter item_folder_name for filter_1 first.
If the items under item_folder_name aren't suitable to analyze, once the user know it and he will input item_id as well. The 2 filters can restrict the item that I need to analyze.

Currently, I write as below. However, I need to allow the item_id that is not under the filtered item_folder_name. The code can't allow a item_id which is not under the specified item_folder_name.

Is there any way to allow the filter for item_id seperated from the filter for item_folder_name ?
I want to allow the user to enter item_id filter, and provide the filter of item_folder_name to search the item_id inside within 6 months as well.

(item_id=$tkn.item_id$) [ | search index=my_index sourcetype="md:sv:master" _index_earliest="01/01/2023:00:00:00" _index_latest=now() | inputlookup item_table.csv item_id OUTPUT item_folder_name | where ($tkn.item_folder_name$) | fields + item_id]

Thank you.

Re: Use 2 related tokens to create as 2 conditions

gcusello — Wed, 10 May 2023 10:49:14 GMT

Hi @Jouman,

Your search isn't so clear for me: what's the main search?

it seems tha the main search is (item_id=$tkn.item_id$) and the content od the square parenthesis is a subsearch in the main search.

Anyway, you have to create two dropdown list inputs, where the second (item_id) contains also the token of the first (item_folder_name) so you can filter the second based on the value of the first,

Then I suppose that you extract the item_folder_name from the search results, in this way, your search is slower but you're sure to have only values with results in the events.

If you're using a Simple XML dashboard, could you share your complete dashboard code?

Ciao.

Giuseppe

Re: Use 2 related tokens to create as 2 conditions

Jouman — Thu, 11 May 2023 02:54:16 GMT

Hi @gcusello ,

Thank you for the suggestion. I rewrite my requests as below with xml code.

Here is the panel contained a filter to select FolderName.

<panel> <title>Find Items in one folder</title> <input type="text" token="tkn.foldername$" searchWhenChanged="true"> <label>Step 1: Input your folder</label> <prefix>FolderName like "</prefix> <suffix>"</suffix> <default>FOLDER_ONE</default> <initialValue>FOLDER_ONE</initialValue> </input> <table> <search> <query> my search... </query> </panel>

Here is the panel included included another token to restrict ItemID and the main search.
I hope to restrict the input ItemID in main search and the source will be (1) input ItemID (2) input FolderName then know what's the ItemID included.
However, by below code, if the ItemID from user input is not under FolderName, the will be no results.

Is there any way to accept both (1) input ItemID under arbitrary folder , and (2) input FolderName as the input for my main search ?

<panel> <title>Test_Case_1</title> <input type="text" token="tkn.itemid" searchWhenChanged="true"> <label>Step 2: Input the ItemID</label> <default>503</default> </input> <table> <title>Test_Case_1_part1</title> <search> <query>(ItemID=$tkn.itemid$) AND (index=my_item_name_index item_name="ABC" OR item_name="XYZ") [| search index=my_item_id_index _index_earliest="01/01/2023:00:00:00" _index_latest=now() | lookup table.csv.gz ItemID OUTPUT FolderName | where ($tkn.foldername$) | fields + ItemID ] | eval stage=case(item_name="ABC", "stage_1", item_name="XYZ", "stage_2", true(), NULL) | eval stage_index=case(isnotnull(stage), item_index) | eval start_index=if(match(stage,"stage_1"), item_index, NULL) | sort 0 + ItemID item_index | streamstats reset_before="("stage=\"stage_1\"")" first(start_index) as session_index by ItemID | eval Session_ID = ItemID+"-"+session_index | chart limit=0 sep=_ list(item_index) as Stage_Index, first(_time) as Stage_Time over Session_ID by stage

Thank you so much.

Re: Use 2 related tokens to create as 2 conditions

gcusello — Thu, 11 May 2023 07:10:54 GMT

Hi @Jouman,

in other words, you wouyld add the first token to the second code, if this is your requirement, you could try:

<panel> <title>Test_Case_1</title> <input type="dropdown" token="tkn_foldername" searchWhenChanged="true"> <label>Step 1: Input your folder</label> <prefix>FolderName="</prefix> <suffix>"</suffix> <fieldForLabel>FolderName</fieldForLabel> <fieldForValue>FolderName</fieldForValue> <default>FOLDER_ONE</default> <initialValue>FOLDER_ONE</initialValue> <search> <query> | inputlookup table.csv.gz | fields FolderName | sort FolderName | table FolderName </query> </search> </input> <input type="dropdown" token="tkn_itemid" searchWhenChanged="true"> <label>Step 2: Input the ItemID</label> <default>503</default> <prefix>itemId="</prefix> <suffix>"</suffix> <fieldForLabel>ItemID</fieldForLabel> <fieldForValue>ItemID</fieldForValue> <search> <query> | inputlookup table.csv.gz WHERE $tkn_foldername$ | fields ItemID | sort ItemID | table ItemID </query> </search> </input> <table> <title>Test_Case_1_part1</title> <search> <query> (ItemID=$tkn_itemid$) (index=my_item_name_index item_name="ABC" OR item_name="XYZ") [| search index=my_item_id_index _index_earliest="01/01/2023:00:00:00" _index_latest=now() | lookup table.csv.gz ItemID OUTPUT FolderName | search ($tkn_foldername$) | fields ItemID ] | eval stage=case(item_name="ABC", "stage_1", item_name="XYZ", "stage_2", true(), NULL) | eval stage_index=case(isnotnull(stage), item_index) | eval start_index=if(match(stage,"stage_1"), item_index, NULL) | sort 0 + ItemID item_index | streamstats reset_before="("stage=\"stage_1\"")" first(start_index) as session_index by ItemID | eval Session_ID = ItemID+"-"+session_index | chart limit=0 sep=_ list(item_index) as Stage_Index, first(_time) as Stage_Time over Session_ID by stage

But in your search there are some thing not correct:

in the folder input the like you used it isn't correct,
you could take values from the lookup instead using a text box,
you cannot put "$" in the token name,
you don't need to use AND operator in the main search,
in the tokens, don't use dot, but underscore,
at least I don't enter in the search logic, but using a so large time period in a subsearch ("always"!), probably you'll have more than 50,000, but this is the limit for subsearches, so probably you'll have a partial result and surely you'll not have a performant search;
when you have to compare results from a search with the always results (or a very large time period), it's better to create a scheduled search that every night saves the results of your search in a summary index, so you can use this summary index to compare your results with all time.

In conclusion, review your search, before approach the input phase.

Ciao.

Giuseppe

Re: Use 2 related tokens to create as 2 conditions

Jouman — Fri, 12 May 2023 07:00:57 GMT

Hi @gcusello ,

Thanks for the several correction.

I didn't know it is bad to use dot in the token, thanks for the comments.

I really appreciate the solution you provided and I have one question about it.

The ItemID from the filter may not be located under the FolderName from the other filter.

Is there any way to allow the ItemID from arbitrary folder and the ItemID included under the specified folder name as well in the main search ?

<query> | inputlookup table.csv.gz WHERE $tkn_foldername$ | fields ItemID | sort ItemID | table ItemID </query>

Thanks for all the advice.

Re: Use 2 related tokens to create as 2 conditions

gcusello — Fri, 12 May 2023 07:20:10 GMT

Hi @Jouman,

inert in the choices of the folder dropdown also the static option "All" (*) so you'll list the itemIDs of all the folders.

Ciao.

Giuseppe

Re: Use 2 related tokens to create as 2 conditions

Jouman — Fri, 12 May 2023 21:21:24 GMT

Hi @gcusello ,
Thank you very much for all the suggestion.

I find the way to fix my problem.

I can't find the solution without your help, and I am truly grateful.

Thanks.