How to add Logical AND or logical OR in splunk das...

harishsplunk7 · ‎08-05-2024

how to get add a radio button or a checkbox for the user selection of Index and the Sourcetype, to select between logically AND or logical OR between the Index and the Sourcetype. This will allow to view in one selection searches that could be performed by users either by the index or by the sourcetype.

ITWhisperer · ‎08-05-2024

Create a dropdown or radio buttons to select either "index" or "sourcetype" and use that token in your search

$type_of_search$=$value_of_search$

harishsplunk7 · ‎08-05-2024

Could you please give me some example because i need to use this into ad-hoc search and saved search

ITWhisperer · ‎08-05-2024

Tokens are used in dashboards - how does this relate to ad-hoc or saved searches? Are these part of your dashboard?

harishsplunk7 · ‎08-05-2024

Yes its part of my dashboard, for example if i select checkbox or radio button ( logical AND or Logical OR) will show the result accordingly in panel either is simple search or any other panels.

could you please give me example search to define the token

ITWhisperer · ‎08-05-2024

Please share the source of your dashboard in a code block for ease of understanding

harishsplunk7 · ‎08-05-2024

<form theme="light">
<label>Logical Test</label>
<fieldset submitButton="true" autoRun="false">
<input type="checkbox" token="command" searchWhenChanged="false">
<label>Logically OR'ed Search Command</label>
<default>*</default>
<initialValue>*</initialValue>
<choice value="*">Index</choice>
<choice value="**">SourceType</choice>
<choice value="***">Index OR Sourcetype</choice>
</input>
<input type="time" token="field1">
<label>Time</label>
<default>
<earliest>-4h@m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Search</title>
<table>
<search>
<progress>
<set token="adhoc"></set>
</progress>
<query>index=_audit sourcetype=audittrail info!=granted
| rex field=_raw "search=\'(?<search>.*)\',"
| rex field=search max_match=0 "[\w^]*index=\s*\"*(?<idx>[^\s\"]+)"
| rex field=search max_match=0 "sourcetype=[\"]?(?<st>[\S]+)"
| table search user idx st</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">5</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">none</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="number" field="time_ago(seconds)">
<option name="precision">0</option>
</format>
<format type="number" field="seconds_ago">
<option name="precision">0</option>
</format>
<format type="number" field="exec_time">
<option name="precision">0</option>
</format>
<format type="number" field="search_lt">
<option name="precision">0</option>
</format>
<format type="number" field="search_et">
<option name="precision">0</option>
<option name="useThousandSeparators">false</option>
</format>
</table>
</panel>
</row>
</form>

ITWhisperer · ‎08-05-2024

Try something like this

<input type="checkbox" token="command" searchWhenChanged="false">
<label>Logically OR'ed Search Command</label>
<default>index=_audit</default>
<initialValue>index=_audit</initialValue>
<choice value="index=_audit">Index</choice>
<choice value="sourcetype=audittrail">SourceType</choice>
<choice value="index=_audit OR sourcetype=audittrail">Index OR Sourcetype</choice>
</input>
<input type="time" token="field1">
<label>Time</label>
<default>
<earliest>-4h@m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Search</title>
<table>
<search>
<progress>
<set token="adhoc"></set>
</progress>
<query>$command$ info!=granted

harishsplunk7 · ‎08-05-2024

I am looking for custom index in splunk not audit index used in choice.

I have extracted the idx st using rex in 3rd lineof my query, so i need to select either index=aws or sourcetype=aws;cloud in checkbox

<form theme="light">
<label>Logical Test</label>
<fieldset submitButton="true" autoRun="false">
<input type="multiselect" token="index">
<label>Index</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>index_name</fieldForLabel>
<fieldForValue>index_name</fieldForValue>
<search>
<query>| REST /services/data/indexes |dedup title | rename title as index_name | table "index_name"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<delimiter>","</delimiter>
<initialValue>*</initialValue>
</input>
<input type="multiselect" token="sourcetype_name">
<label>Sourcetype</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>sourcetype_name</fieldForLabel>
<fieldForValue>sourcetype_name</fieldForValue>
<search>
<query>| tstats count WHERE index IN ("$index$") by sourcetype | rename sourcetype as sourcetype_name</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<delimiter>","</delimiter>
<initialValue>*</initialValue>
</input>
<input type="checkbox" token="field3">
<label>Logical</label>
<choice value="index_name=index AND sourcetype_name=sourcetype">Index AND Sourcetype</choice>
<choice value="index_name=index OR sourcetype_name=sourcetype">Index OR Sourcetype</choice>
<delimiter> </delimiter>
</input>
<input type="time" token="field1">
<label>Time</label>
<default>
<earliest>-4h@m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Search</title>
<table>
<search>
<progress>
<set token="adhoc"></set>
</progress>
<query>index=_audit sourcetype=audittrail info!=granted provenance="UI:Search"
| rex field=_raw "search=\'(?&lt;search&gt;.*)\',"
| rex field=search max_match=0 "[\w^]*index=\s*\"*(?&lt;index_name&gt;[^\s\"]+)"
| rex field=search max_match=0 "sourcetype=[\"]?(?&lt;sourcetype_name&gt;[\S]+)"
| where isnotnull(search)
| search $field3$
| rename info as Completion
| table _time index_name sourcetype_name search, user
| rename user as "accessed by"</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">5</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">none</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="number" field="time_ago(seconds)">
<option name="precision">0</option>
</format>
<format type="number" field="seconds_ago">
<option name="precision">0</option>
</format>
<format type="number" field="exec_time">
<option name="precision">0</option>
</format>
<format type="number" field="search_lt">
<option name="precision">0</option>
</format>
<format type="number" field="search_et">
<option name="precision">0</option>
<option name="useThousandSeparators">false</option>
</format>
</table>
</panel>
</row>
</form>

How to add Logical AND or logical OR in splunk dashboard

chart

Classic dashboard

Dashboard Studio

drilldown

panel

table

timechart

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

How to add Logical AND or logical OR in splunk dashboard