Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Conditionally search if search field exists

cclva
Explorer
‎05-06-2021 08:51 AM

I have a dashboard which provides a handful of filter criteria, for example, `fieldA=A` and `fieldB=B`.

One such criteria changes the application I am searching on, which does not have `fieldA`.  Is there a way to conditionally set my filters such that they only apply to my search query only if `fieldA` exists in an application's logs?

 

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-06-2021 04:04 PM

You can probably do this using a where clause after the search, as it's not possible to know in advance of seeing the data, if the field exists in the data.

| where (isnull(fieldA) OR match(fieldA,$fieldAFilterToken$))

Alternatively, you can set up the dashboard inputs for the filters to load their own filter options from a lookup, where the lookup key is the selected application. When you change that application, the token for that application will get a new value, so the inputs with the filter options will then rerun the populating searches to get the filter options from the lookup for each input.

e.g. filter_options.csv

app,filterA,filterB
app1,A,B
app2,,B
app3,A,
app4,,

so your search that populates the filter A selection would do something like

| inputlookup filter_options.csv where app=$selected_app_token|s$
| fields filterA

and the same for B etc.

Hopefully this gives you something to play with.

 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...