Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search query within IF statement?

rwheeloc
Engager
a month ago

I'm trying to come up with a search query that ignores parameters if left blank, but ignores other parameters if filled in.

In this case, "-" is the default value for token1 and token2. If token1 and token2 are left at this default, I want to find results based only on token3; but if token1 or token2 are specified then I want token3 to be disregarded.

 

Here's what I've been trying, but so far doesn't seem to be working as I'd hoped:

if(($token1$ == "-" AND $token2$ =="-"), (search Field3=$token3$), (search Field1="$token1$" OR Field2="$token2$"))

Am I on the right track? Something I'm missing?

Labels (2)
Labels
0 Karma
Reply

rwheeloc
Engager
a month ago

Thank you!

I'm working on reproducing this in json format for Dashboard Studio, and keep getting an error that the input myast have a 'type' specified... any guidance on what that would need to be?

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
a month ago

My example is more like pseudo-code than something you could paste into a dashboard.  No doubt there are many blanks to be filled in.

JSON input types are in the manual at https://docs.splunk.com/Documentation/Splunk/9.3.2/DashStudio/inputConfig#Input_configuration_options_available_in_the_visual_editor

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
a month ago

SPL does not have conditional execution.  The if function (not a command or statement) is part of where and eval expressions to help determine the value to test or assign to a field.

In dashboards, conditional execution can be simulated by assigning different search commands to a token based on the value of other tokens.

<input>
...
  <condition $token1="-" AND $token2$="-">  <!-- not the correct syntax-->
    <set token="search">Field3=$token$</set>
  </condition>
  <condition>
    <set token="search">Field11=$token1"</set>
  </condition>
</input>
...
  <search>
    <query>index=foo $search$</query>
  </search>
...
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...