Need idea about searching with condition

zacksoft · ‎12-28-2017

This is the algorithm of the search that I am looking for,

If the stats count of (Host=A AND B, banana) > 0,
Then search (Host=A AND B, banana_shake, banana_juice)
time chart count banana_shake, banana_juice

I am not sure how to formulate a subquery/subsearch for this or if any conditional statement can help .
If the first search returns any result then only the subsequent search should execute. The subsequent search could be anything including different hosts/condition etc..

nikita_p · ‎12-28-2017

Hi @zacksoft,
Can you tell me what output are you looking for?
And what is the condition for banana_shake and banana_juice?

zacksoft · ‎12-28-2017

Let me rephrase the question.
When my host is in distress (i.e. it encounters a specific error), I want to do a search of something during that time. I know the query to find the host in distress (i.e. Host="A" AND "B" "error_code_1"). Now if there is no error this search won't give me any events. (event count =0).
I want to be able to calculate the number of events this search generates (if event count > 0) , then I have to run another query. The other query is something like (i.e. Host="A" AND "B" "who_did_it" "what_happened").

The second query should only execute if first one generates any event. How can I achieve the above scenario ?

niketn · ‎12-28-2017

@zacksoft, please try the following run anywhere dashboard based on Splunk's _internal index.
There is a dummy search which runs the query to find whether there are any results returned using default search job token $job.resultCount$ .
PS: I have used a Textbox to test the query when some result is returned vs when no result is returned. For Example ExecProcessor* should return events if there are Warnings present for the component if you set the same to ExecProcessor1 it should not return any results as the component does not exist. You can also try to expand the Search duration in case ExecProcessor does not return any warning for last 24 hours.

<form>
  <label>Run Search if Records found</label>
  <search>
    <query>index=_internal sourcetype=splunkd log_level="WARN" component="$tokComponent$"</query>
    <earliest>$tokTime.earliest$</earliest>
    <latest>$tokTime.latest$</latest>
    <sampleRatio>1</sampleRatio>
    <done>
      <condition match="$job.resultCount$!=0">
        <set token="tokSearchQuery">index=_internal sourcetype=splunkd log_level="WARN" component="$tokComponent$"
| timechart count by component</set>
      </condition>
      <condition>
        <unset token="tokSearchQuery"></unset>
      </condition>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="tokTime" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="tokComponent" searchWhenChanged="true">
      <label>Enter Component (for test)</label>
      <default>ExecProcessor*</default>
    </input>
  </fieldset>
  <row depends="$tokSearchQuery$">
    <panel>
      <chart>
        <search>
          <query>$tokSearchQuery$</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row rejects="$tokSearchQuery$">
    <panel>
      <html>
        <div style="text-align:center;font-weight:bold;color:red;font-size:200%">No Results Returned. Timechart is hidden!</div>
      </html>
    </panel>
  </row>
</form>

PS: I have added an HTML panel to be displayed in case base search returns no results.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

zacksoft · ‎12-28-2017

Sorry, I didn't quite understand your response. How/Where do I use this HTML ?
Could you please elaborate.I am new to this thing.

niketn · ‎12-28-2017

@zacksoft, the count of (Host=A AND B, banana) could be calculated based on following piece of code in Sample dashboard above (I have used Splunk's _internal index for making it run anywhere example. You can replace with your own base search):

     <query>index=_internal sourcetype=splunkd log_level="WARN" component="$tokComponent$"</query>
     <earliest>$tokTime.earliest$</earliest>
     <latest>$tokTime.latest$</latest>
     <sampleRatio>1</sampleRatio>
     <done>
       <condition match="$job.resultCount$!=0">
         <set token="tokSearchQuery">index=_internal sourcetype=splunkd log_level="WARN" component="$tokComponent$"
 | timechart count by component
       </condition>
       <condition>
         <unset token="tokSearchQuery"></unset>
       </condition>
     </done>

As stated the <done> search event handler sets the token tokSearchQuery with the query to retrieve the timechart in case the base search has events (i.e. job.resultCount!=0). In case there are no events returned in the base search the token tokSearchQuery is unset.

The attributes depends and rejects shows the specific dashboard element based on whether the token is set or unset above. In our case either show the Timechart or else show custom message using HTML panel. PS: HTML panel is not mandatory, you may remove if you want to.

Refer to Null Result Swapper example in Splunk Dashboard Examples app from Splunkbase.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Need idea about searching with condition

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!