Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Different query's based on the result of previous Token

splunk_exercice
New Member
‎06-11-2018 08:45 AM

Hello,

I have a doubt that I think it´s easy to respond, but until now, I have no results.
I want to make an query that depends on the result of a token, example:

  • If the token is set to yeallow,
    • then the following query will be executed: index=a | stats count by field.name1
  • If the token is set to red,
    • then the following query will be executed: index=b | stats count by field.name2, field.name4
  • If the toke is set to green,
    • then the following query will be executed: index=c | stats count by field.name3, field.name5, field.name6

How can I achieve this?

Thanks in advance.

Best regards.

Tags (1)
0 Karma
Reply

harishalipaka
Motivator
‎06-11-2018 11:26 PM 
<form>
  <label>Sample</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="selected" searchWhenChanged="true">
      <label>Your Token</label>
      <choice value="field.name1">Yellow</choice>
      <choice value="field.name2, field.name4">red</choice>
      <choice value="field.name3, field.name5, field.name6">green</choice>
      <default>Yellow</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>|stats count by $selected$</title>
      <single>
        <search>
          <query>|makeresults |eval tokenvalue="$selected$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </single>
    </panel>
  </row>
</form>
Thanks
Harish
0 Karma
Reply

vasanthmss
Motivator
‎06-11-2018 09:15 AM

Hi,

This can be achieve by a simple token you can use refer the below sample.

Description:

Token named "token" can be set to the search based on user selection. With this example i've used the internal index, you may want to try with your index.

Note: This sample will run only you
have access to internal index.

<form>
  <label>Sample</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="token" searchWhenChanged="true">
      <label>Your Token</label>
      <choice value="index=_internal | head 10 | stats c by host">host</choice>
      <choice value="index=_internal | head 10 | stats c by sourcetype, host">sourcetype, host</choice>
      <choice value="index=_internal | head 10 | stats c by source, host, sourcetype">source, host, sourcetype</choice>
      <default>index=_internal | head 10 | stats c by host</default>
      <initialValue>index=_internal | head 10 | stats c by host</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>$token$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Thanks,
V

V
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...