Splunk Search

Alter query based on value of a field within the query itself

Communicator

So I have a query that needs to change based on the value of a field witihin that query.

This is the "original" query: index=a element=value host=* ...[rest of query]

If element="example" then the original query is to be parsed, however if element="All" then the query needs to altered:

index=a element!=* host=* .... [rest of query]

Note the example!= ... how should one approach this?

1 Solution

SplunkTrust
SplunkTrust

Ho ohlafl,

No, this in not possible with Splunk native simple XML. But I assume you could use some JS to parse the user input, change the SPL according the user input and run the search then.

cheers, MuS

View solution in original post

Communicator

I actually managed to solve this be creating a really ugly workaround:

I created a parent dashboard with two separate tables, one table for where the element operator value would be "=" and one for "!=", when a value is clicked the resulting drilldown will pass the operator as a hardcoded token depending on what table has been clicked.

The search query in the drilldown dashboard then dynamically digests the token operator as $operator$ which means that element$operator$ either equals element= or element!=.

Probably difficult to understand but for a person with the same problem this might be of some value.

SplunkTrust
SplunkTrust

Ho ohlafl,

No, this in not possible with Splunk native simple XML. But I assume you could use some JS to parse the user input, change the SPL according the user input and run the search then.

cheers, MuS

View solution in original post

Communicator

Thank you, this what was I suspected.

0 Karma

Esteemed Legend

I don't understand your question; it would help if you expanded your example much more fully.

0 Karma

SplunkTrust
SplunkTrust

I suspect that the queries are being chopped up a bit due to the formatting that happens with some of the characters in the query. Please use the "Code Sample" tagging on the queries, then make sure that the query characters all transfer properly to the view that comes out in the web page. I don't know if that is woodcock's problem, but it certainly is confusing my understanding of your question.

0 Karma

SplunkTrust
SplunkTrust

It's not chopped up and it looks like I'm understanding the question 😉

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!