Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search query within IF statement?

rwheeloc
Engager
‎11-19-2024 07:55 AM

I'm trying to come up with a search query that ignores parameters if left blank, but ignores other parameters if filled in.

In this case, "-" is the default value for token1 and token2. If token1 and token2 are left at this default, I want to find results based only on token3; but if token1 or token2 are specified then I want token3 to be disregarded.

 

Here's what I've been trying, but so far doesn't seem to be working as I'd hoped:

if(($token1$ == "-" AND $token2$ =="-"), (search Field3=$token3$), (search Field1="$token1$" OR Field2="$token2$"))

Am I on the right track? Something I'm missing?

Labels (2)
Labels
0 Karma
Reply

rwheeloc
Engager
‎11-19-2024 12:49 PM

Thank you!

I'm working on reproducing this in json format for Dashboard Studio, and keep getting an error that the input myast have a 'type' specified... any guidance on what that would need to be?

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-19-2024 01:13 PM

My example is more like pseudo-code than something you could paste into a dashboard.  No doubt there are many blanks to be filled in.

JSON input types are in the manual at https://docs.splunk.com/Documentation/Splunk/9.3.2/DashStudio/inputConfig#Input_configuration_options_available_in_the_visual_editor

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-19-2024 08:19 AM

SPL does not have conditional execution.  The if function (not a command or statement) is part of where and eval expressions to help determine the value to test or assign to a field.

In dashboards, conditional execution can be simulated by assigning different search commands to a token based on the value of other tokens.

<input>
...
  <condition $token1="-" AND $token2$="-">  <!-- not the correct syntax-->
    <set token="search">Field3=$token$</set>
  </condition>
  <condition>
    <set token="search">Field11=$token1"</set>
  </condition>
</input>
...
  <search>
    <query>index=foo $search$</query>
  </search>
...
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...