topic Re: dropdown and conditional field value based search in Splunk Search

dropdown and conditional field value based search

cfbridgewater — Mon, 28 Sep 2020 16:55:11 GMT

i have view that i want to use to filter hosts by development tier (QA, STAGE, PROD).

The drop down is configured as such:

PROD
STAGE
DEV
PROD

The source field has different values based on environment:

PRD: source= /prd/logname.log
STAGE: source= /data/stage/logs/logname.log
DEV: source= /home/qa_env_host/logging/logname.log

I want to display results only for the relevant hosts in each tier ... so i think the right way to go is either via IF or CASE, but i'm not sure how to filter my search based on $env$ and the source field.

i'm new to more complex searching in splunk and would appreciate guidance on the right way to do this.

Re: dropdown and conditional field value based search

cfbridgewater — Tue, 24 Jun 2014 22:36:49 GMT

i've tried the following, but this only overwrites my source ... and the processing comes after the actual indexing of the results (right?):

index="" sourcetype="delorean-jvmgc" | eval source=case($env$ == "Prod", "/prd/", $env$' == "STAGE", "/data/stage/", $env$ == "DEV", "/home/")

Re: dropdown and conditional field value based search

cfbridgewater — Tue, 24 Jun 2014 22:38:32 GMT

index="" sourcetype="delorean-jvmgc" | eval source=case($env$ == "Prod", "/prd/", $env$' == "STAGE", "/data/stage/", $env$ == "DEV", "/home/*")

Re: dropdown and conditional field value based search

somesoni2 — Wed, 25 Jun 2014 01:02:02 GMT

Are the source value static (have only 3 possible values as mentioned in the question?

Re: dropdown and conditional field value based search

davby — Wed, 25 Jun 2014 09:06:32 GMT

Note that you've specified different values for the source field in your question and in your comments. My answer is based on the values you've listed in your second comment; adjust them as needed for the real search.

If you change the values of the choices to be the values you want for the source field, e.g.:

<choice value="/prd/">STAGE</choice>

then the following search should work:

index="" sourcetype="delorean-jvmgc" source="$env$"

Alternately, add the following prefix and suffix to the input:

  <prefix>source="</prefix>
  <suffix>"</suffix>

and simply search for:

index="" sourcetype="delorean-jvmgc" $env$

If you need to retain the original values, you could use a subsearch with your original definition (taking the source values from your second comment):

index="" sourcetype="delorean-jvmgc" [
    | gentimes start=-1
    | eval source=case("$env$" == "Dept.ProdDC.PROD", "/prd/", 
                       "$env$" == "Dept.STAGEDC.STAGE", "/data/stage/",
                       "$env$" == "Dept.DEVDC.DEV", "/home/*")
    | fields source
    ]

Re: dropdown and conditional field value based search

cfbridgewater — Wed, 25 Jun 2014 13:37:40 GMT

that worked like a charm. one slight edit is that index="*". i'd like to better understand the usage of the | fields source. is that what pipes the results of the search within the brackets to the field source?

Re: dropdown and conditional field value based search

cfbridgewater — Wed, 25 Jun 2014 13:38:35 GMT

Re: dropdown and conditional field value based search

davby — Wed, 25 Jun 2014 13:58:35 GMT

If you are searching every index, you can drop index="*" entirely.

Brackets indicate a subsearch. The subsearch generates terms that are inserted into the outer search. You can see exactly what terms by running the subsearch alone (no brackets), and appending "| format" to the end. Look for the "search" column in the results.

There's more to it than that, of course. Section "Group and Correlate Events" in the search manual has more details.

Re: dropdown and conditional field value based search

Wendy — Sun, 08 Aug 2021 00:07:38 GMT

I came across this answer with a similar situation to solve.

Situation:

I created a dropdown with different deployment environments as values, source code like below:

<input type="dropdown" token="deploy_env" searchWhenChanged="true">
<label>Deployment Environment</label>
<choice value="nonprod">Non Production</choice>
<choice value="prod">Production</choice>
<default>nonprod</default>
</input>

I need to query below, namely to have space_name and app_name value depend on $delpy_env$:

index=$deploy_env$ org_name="my_org_name" space_name="spacename_based_on_$deploy_env$" app_name="appname_based_on_$deploy_env$" message_type=OUT | search "Qr Pdf sent to" | stats count

Based on answers from this topic, I came up with below solution:

index=$deploy_env$org_name="my_org_name" message_type=OUT
| eval space_name=case("$deploy_env$" == "nonprod", "spacename-dev", "$deploy_env$" == "spacename-prod", "prod")
| eval app_name=case("$deploy_env$" == "nonprod", "serviceappname-dev", "$deploy_env$" == "prod", "serviceappname-prod")
| search "Qr Pdf sent to" | stats Count

Could anyone check if the solution is correct please and if there are better ways to solve this issue? Thank you.