Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do you create a condition on a token to launch in a search?

mvagionakis
Path Finder
‎01-07-2019 08:48 AM

Hello Splunkers,

I searched everywhere in answers.com but I didn't find an answer for my problem.

Let me explain you my needs.

I created an App in order to monitor my network security logs and to centralize all the data in a table (source ip, destination, rule name etc). Till now, for this specific kind of logs, I didn't have a problem as the format of the logs received by the different devices is almost the same (some transformations made but without difficulties).

Recently, I started indexing security logs from a JSON generated file and the problem is that I cannot put everything under the same search.

I could make two different dashboards, but the goal is to have a centralized dashboard accessible by the technicians.

So my question is:

Is there anyway to put a condition at the beginning of my search, based on the token's value, and launch the appropriate search?

I'll give you a logical example:

if token1="toto" then search1 else
search 2

I hope that my description was clear.

Thank you in advance
Michael

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-08-2019 06:27 AM

@mvagionakis,

Its possible to execute different searches based on tokens. There are multiple ways to do that

i.Display results in two panels and based on user selection, show the required panel

<form>
  <label>Condition based searches</label>
  <fieldset submitButton="false">
    <input type="radio" token="search">
      <label>Select the search</label>
      <choice value="search1">Search1</choice>
      <choice value="search2">Search2</choice>
      <change>
        <condition label="Search1">
          <set token="firstpanel">true</set>
          <unset token="secondpanel"></unset>
        </condition>
        <condition>
          <set token="secondpanel">true</set>
          <unset token="firstpanel"></unset>
        </condition>
      </change>
      <default>search1</default>
    </input>
  </fieldset>
  <row>
    <panel depends="$firstpanel$">
      <table>
        <search>
          <query>index=_*|stats count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$secondpanel$">
      <chart>
        <search>
          <query>index=_*|timechart span=5m count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</form>

ii.Set different searches as values to the token based on user selection

<form>
  <label>Condition based searches</label>
  <fieldset submitButton="false">
    <input type="radio" token="search">
      <label>Select the search</label>
      <choice value="index=_* earliest=-15m|stats count by sourcetype">Search1</choice>
      <choice value="index=_* earliest=-15m|stats count by source">Search2</choice>
      <default>index=_* earliest=-15m|stats count by sourcetype</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>$search$</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Please lets know if you are looking for some other solution

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-08-2019 06:27 AM

@mvagionakis,

Its possible to execute different searches based on tokens. There are multiple ways to do that

i.Display results in two panels and based on user selection, show the required panel

<form>
  <label>Condition based searches</label>
  <fieldset submitButton="false">
    <input type="radio" token="search">
      <label>Select the search</label>
      <choice value="search1">Search1</choice>
      <choice value="search2">Search2</choice>
      <change>
        <condition label="Search1">
          <set token="firstpanel">true</set>
          <unset token="secondpanel"></unset>
        </condition>
        <condition>
          <set token="secondpanel">true</set>
          <unset token="firstpanel"></unset>
        </condition>
      </change>
      <default>search1</default>
    </input>
  </fieldset>
  <row>
    <panel depends="$firstpanel$">
      <table>
        <search>
          <query>index=_*|stats count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$secondpanel$">
      <chart>
        <search>
          <query>index=_*|timechart span=5m count by sourcetype</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
</form>

ii.Set different searches as values to the token based on user selection

<form>
  <label>Condition based searches</label>
  <fieldset submitButton="false">
    <input type="radio" token="search">
      <label>Select the search</label>
      <choice value="index=_* earliest=-15m|stats count by sourcetype">Search1</choice>
      <choice value="index=_* earliest=-15m|stats count by source">Search2</choice>
      <default>index=_* earliest=-15m|stats count by sourcetype</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>$search$</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Please lets know if you are looking for some other solution

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...