Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search query within IF statement?

rwheeloc
Explorer
‎11-19-2024 07:55 AM

I'm trying to come up with a search query that ignores parameters if left blank, but ignores other parameters if filled in.

In this case, "-" is the default value for token1 and token2. If token1 and token2 are left at this default, I want to find results based only on token3; but if token1 or token2 are specified then I want token3 to be disregarded.

 

Here's what I've been trying, but so far doesn't seem to be working as I'd hoped:

if(($token1$ == "-" AND $token2$ =="-"), (search Field3=$token3$), (search Field1="$token1$" OR Field2="$token2$"))

Am I on the right track? Something I'm missing?

Labels (2)
Labels
0 Karma
Reply

rwheeloc
Explorer
‎11-19-2024 12:49 PM

Thank you!

I'm working on reproducing this in json format for Dashboard Studio, and keep getting an error that the input myast have a 'type' specified... any guidance on what that would need to be?

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-19-2024 01:13 PM

My example is more like pseudo-code than something you could paste into a dashboard.  No doubt there are many blanks to be filled in.

JSON input types are in the manual at https://docs.splunk.com/Documentation/Splunk/9.3.2/DashStudio/inputConfig#Input_configuration_options_available_in_the_visual_editor

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-19-2024 08:19 AM

SPL does not have conditional execution.  The if function (not a command or statement) is part of where and eval expressions to help determine the value to test or assign to a field.

In dashboards, conditional execution can be simulated by assigning different search commands to a token based on the value of other tokens.

<input>
...
  <condition $token1="-" AND $token2$="-">  <!-- not the correct syntax-->
    <set token="search">Field3=$token$</set>
  </condition>
  <condition>
    <set token="search">Field11=$token1"</set>
  </condition>
</input>
...
  <search>
    <query>index=foo $search$</query>
  </search>
...
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...