topic Re: Executing Conditional Queries in Splunk Based on Input Value in Splunk Search

Executing Conditional Queries in Splunk Based on Input Value

taruntalreja — Wed, 30 Oct 2024 14:46:58 GMT

I have two query in splunk query 1 and query 2 and an input. Based on the input, i need to execute either query 1 or query 2. I am trying something like below query but it is not working for me.

Re: Executing Conditional Queries in Splunk Based on Input Value

alexandarmatev1 — Wed, 30 Oct 2024 16:54:37 GMT

Re: Executing Conditional Queries in Splunk Based on Input Value

taruntalreja — Wed, 30 Oct 2024 17:11:08 GMT

This solution does not work, I am getting empty result. I think there is an issue and myInput variable is not passed in append. One more issue with this solution is that both the queries will be running but we know beforehand which query to run, so I am looking for some optimized solution where only 1 query is ran based on the filter.

Re: Executing Conditional Queries in Splunk Based on Input Value

alexandarmatev1 — Wed, 30 Oct 2024 18:03:16 GMT

Why don't you try with macros and if, case statement?

Re: Executing Conditional Queries in Splunk Based on Input Value

richgalloway — Thu, 31 Oct 2024 13:14:15 GMT

SPL does not support conditional execution of commands. It can be simulated in a dashboard by setting a token to the desired search string and referencing the token in the query.

<fieldset> <input token="myInput"...> <change> <condition match="<<option 1>>"> <set token="query">SPL for option 1</set> </condition> <condition match="<<option 2>>"> <set token="query">SPL for option 2></set> </condition> </change> </input> </fieldset> ... <row> <panel> <table> <search> <query>$query$</query> </search> </table> </panel> </row>