Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How do you create a condition on a token to la...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Splunkers,
I searched everywhere in answers.com but I didn't find an answer for my problem.
Let me explain you my needs.
I created an App in order to monitor my network security logs and to centralize all the data in a table (source ip, destination, rule name etc). Till now, for this specific kind of logs, I didn't have a problem as the format of the logs received by the different devices is almost the same (some transformations made but without difficulties).
Recently, I started indexing security logs from a JSON generated file and the problem is that I cannot put everything under the same search.
I could make two different dashboards, but the goal is to have a centralized dashboard accessible by the technicians.
So my question is:
Is there anyway to put a condition at the beginning of my search, based on the token's value, and launch the appropriate search?
I'll give you a logical example:
if token1="toto" then search1 else
search 2
I hope that my description was clear.
Thank you in advance
Michael
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mvagionakis,
Its possible to execute different searches based on tokens. There are multiple ways to do that
i.Display results in two panels and based on user selection, show the required panel
<form>
<label>Condition based searches</label>
<fieldset submitButton="false">
<input type="radio" token="search">
<label>Select the search</label>
<choice value="search1">Search1</choice>
<choice value="search2">Search2</choice>
<change>
<condition label="Search1">
<set token="firstpanel">true</set>
<unset token="secondpanel"></unset>
</condition>
<condition>
<set token="secondpanel">true</set>
<unset token="firstpanel"></unset>
</condition>
</change>
<default>search1</default>
</input>
</fieldset>
<row>
<panel depends="$firstpanel$">
<table>
<search>
<query>index=_*|stats count by sourcetype</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel depends="$secondpanel$">
<chart>
<search>
<query>index=_*|timechart span=5m count by sourcetype</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
</row>
</form>
ii.Set different searches as values to the token based on user selection
<form>
<label>Condition based searches</label>
<fieldset submitButton="false">
<input type="radio" token="search">
<label>Select the search</label>
<choice value="index=_* earliest=-15m|stats count by sourcetype">Search1</choice>
<choice value="index=_* earliest=-15m|stats count by source">Search2</choice>
<default>index=_* earliest=-15m|stats count by sourcetype</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>$search$</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
Please lets know if you are looking for some other solution
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mvagionakis,
Its possible to execute different searches based on tokens. There are multiple ways to do that
i.Display results in two panels and based on user selection, show the required panel
<form>
<label>Condition based searches</label>
<fieldset submitButton="false">
<input type="radio" token="search">
<label>Select the search</label>
<choice value="search1">Search1</choice>
<choice value="search2">Search2</choice>
<change>
<condition label="Search1">
<set token="firstpanel">true</set>
<unset token="secondpanel"></unset>
</condition>
<condition>
<set token="secondpanel">true</set>
<unset token="firstpanel"></unset>
</condition>
</change>
<default>search1</default>
</input>
</fieldset>
<row>
<panel depends="$firstpanel$">
<table>
<search>
<query>index=_*|stats count by sourcetype</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel depends="$secondpanel$">
<chart>
<search>
<query>index=_*|timechart span=5m count by sourcetype</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
</row>
</form>
ii.Set different searches as values to the token based on user selection
<form>
<label>Condition based searches</label>
<fieldset submitButton="false">
<input type="radio" token="search">
<label>Select the search</label>
<choice value="index=_* earliest=-15m|stats count by sourcetype">Search1</choice>
<choice value="index=_* earliest=-15m|stats count by source">Search2</choice>
<default>index=_* earliest=-15m|stats count by sourcetype</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>$search$</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
Please lets know if you are looking for some other solution
What goes around comes around. If it helps, hit it with Karma 🙂
Splunk Observability as Code: From Zero to Dashboard
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Shape the Future of Splunk: Join the Product Research Lab!
