Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alter query based on value of a field within the query itself

ohlafl
Communicator
‎07-15-2015 06:45 AM

So I have a query that needs to change based on the value of a field witihin that query.

This is the "original" query: index=a element=value host=* ...[rest of query]

If element="example" then the original query is to be parsed, however if element="All" then the query needs to altered:

index=a element!=* host=* .... [rest of query]

Note the example!= ... how should one approach this?

Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎07-15-2015 01:38 PM

Ho ohlafl,

No, this in not possible with Splunk native simple XML. But I assume you could use some JS to parse the user input, change the SPL according the user input and run the search then.

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution

ohlafl
Communicator
‎07-22-2015 07:01 AM

I actually managed to solve this be creating a really ugly workaround:

I created a parent dashboard with two separate tables, one table for where the element operator value would be "=" and one for "!=", when a value is clicked the resulting drilldown will pass the operator as a hardcoded token depending on what table has been clicked.

The search query in the drilldown dashboard then dynamically digests the token operator as $operator$ which means that element$operator$ either equals element= or element!=.

Probably difficult to understand but for a person with the same problem this might be of some value.

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎07-15-2015 01:38 PM

Ho ohlafl,

No, this in not possible with Splunk native simple XML. But I assume you could use some JS to parse the user input, change the SPL according the user input and run the search then.

cheers, MuS

Reply
Solved! Jump to solution

ohlafl
Communicator
‎07-16-2015 12:25 AM

Thank you, this what was I suspected.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-15-2015 11:47 AM

I don't understand your question; it would help if you expanded your example much more fully.

0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎07-15-2015 01:13 PM

I suspect that the queries are being chopped up a bit due to the formatting that happens with some of the characters in the query. Please use the "Code Sample" tagging on the queries, then make sure that the query characters all transfer properly to the view that comes out in the web page. I don't know if that is woodcock's problem, but it certainly is confusing my understanding of your question.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎07-15-2015 01:37 PM

It's not chopped up and it looks like I'm understanding the question 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...