Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

dynamic filter in WHERE statement

alessj
Engager
‎01-30-2020 06:06 AM

Hello,

I would like to use a dynamic filter. I have a dropdown($pool$) which select only one value from a list. I want to add a static value "all" that take all the values in the list.

Code working at this moment :
index source
| lookup bundle_3dexp.csv bundleid OUTPUTNEW bundleCode
| eval poolname=bundleCode+poolLetter
| where (poolname="$pool$" AND date >= "$time$")
| dedup login
| table login

How should i modify the code ? Adding an IF statement with the WHERE ?

Thanks you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wmyersas
Builder
‎01-30-2020 12:00 PM

First, as @skoelpin suggested, change from where to search

Second, create a static drop-down option named "All" with a value of "*"

Then when the | search poolname="$pool$" date>="$time$" runs, if you've selected "All" for the $pool$ dropdown, it will fill-in | search poolname="*" date>="$time$"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

wmyersas
Builder
‎01-30-2020 12:00 PM

First, as @skoelpin suggested, change from where to search

Second, create a static drop-down option named "All" with a value of "*"

Then when the | search poolname="$pool$" date>="$time$" runs, if you've selected "All" for the $pool$ dropdown, it will fill-in | search poolname="*" date>="$time$"

0 Karma
Reply
Solved! Jump to solution

alessj
Engager
‎01-31-2020 01:39 AM

i wasn't aware of search function

Reply
Solved! Jump to solution

wmyersas
Builder
‎01-31-2020 10:42 AM

Now you are =D

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-31-2020 06:53 AM

where is used to compare fields and search is used to compare a field to a value. You can only evaluate one function with the where. You can do multiple with a search

Your token is rendered a value before getting passed to that search filter so you are comparing a field to a value.

0 Karma
Reply
Solved! Jump to solution

wmyersas
Builder
‎01-31-2020 10:44 AM

where is used to compare fields and search is used to compare a field to a value. You can only evaluate one function with the where. You can do multiple with a search

That's not true. You can use multiple conditions in a where clause. You can do | where like(field,"%value%") AND field2<$token$ AND match(field3,"<regex>")...

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-30-2020 10:38 AM

Have you tried changing where to search?

Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...