Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search query within IF statement?

rwheeloc
Explorer
‎11-19-2024 07:55 AM

I'm trying to come up with a search query that ignores parameters if left blank, but ignores other parameters if filled in.

In this case, "-" is the default value for token1 and token2. If token1 and token2 are left at this default, I want to find results based only on token3; but if token1 or token2 are specified then I want token3 to be disregarded.

 

Here's what I've been trying, but so far doesn't seem to be working as I'd hoped:

if(($token1$ == "-" AND $token2$ =="-"), (search Field3=$token3$), (search Field1="$token1$" OR Field2="$token2$"))

Am I on the right track? Something I'm missing?

Labels (2)
Labels
0 Karma
Reply

rwheeloc
Explorer
‎11-19-2024 12:49 PM

Thank you!

I'm working on reproducing this in json format for Dashboard Studio, and keep getting an error that the input myast have a 'type' specified... any guidance on what that would need to be?

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-19-2024 01:13 PM

My example is more like pseudo-code than something you could paste into a dashboard.  No doubt there are many blanks to be filled in.

JSON input types are in the manual at https://docs.splunk.com/Documentation/Splunk/9.3.2/DashStudio/inputConfig#Input_configuration_options_available_in_the_visual_editor

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-19-2024 08:19 AM

SPL does not have conditional execution.  The if function (not a command or statement) is part of where and eval expressions to help determine the value to test or assign to a field.

In dashboards, conditional execution can be simulated by assigning different search commands to a token based on the value of other tokens.

<input>
...
  <condition $token1="-" AND $token2$="-">  <!-- not the correct syntax-->
    <set token="search">Field3=$token$</set>
  </condition>
  <condition>
    <set token="search">Field11=$token1"</set>
  </condition>
</input>
...
  <search>
    <query>index=foo $search$</query>
  </search>
...
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...