Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search query within IF statement?

rwheeloc
Explorer
‎11-19-2024 07:55 AM

I'm trying to come up with a search query that ignores parameters if left blank, but ignores other parameters if filled in.

In this case, "-" is the default value for token1 and token2. If token1 and token2 are left at this default, I want to find results based only on token3; but if token1 or token2 are specified then I want token3 to be disregarded.

 

Here's what I've been trying, but so far doesn't seem to be working as I'd hoped:

if(($token1$ == "-" AND $token2$ =="-"), (search Field3=$token3$), (search Field1="$token1$" OR Field2="$token2$"))

Am I on the right track? Something I'm missing?

Labels (2)
Labels
0 Karma
Reply

rwheeloc
Explorer
‎11-19-2024 12:49 PM

Thank you!

I'm working on reproducing this in json format for Dashboard Studio, and keep getting an error that the input myast have a 'type' specified... any guidance on what that would need to be?

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-19-2024 01:13 PM

My example is more like pseudo-code than something you could paste into a dashboard.  No doubt there are many blanks to be filled in.

JSON input types are in the manual at https://docs.splunk.com/Documentation/Splunk/9.3.2/DashStudio/inputConfig#Input_configuration_options_available_in_the_visual_editor

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-19-2024 08:19 AM

SPL does not have conditional execution.  The if function (not a command or statement) is part of where and eval expressions to help determine the value to test or assign to a field.

In dashboards, conditional execution can be simulated by assigning different search commands to a token based on the value of other tokens.

<input>
...
  <condition $token1="-" AND $token2$="-">  <!-- not the correct syntax-->
    <set token="search">Field3=$token$</set>
  </condition>
  <condition>
    <set token="search">Field11=$token1"</set>
  </condition>
</input>
...
  <search>
    <query>index=foo $search$</query>
  </search>
...
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...
Top