Solved: Re: Drill Down and conditional queries

emilep · ‎02-25-2024

In a drilldown, I have 2 possible queries and they look like:
qry1=index=fed:xxx_yyyy sourcetype="aaaaa:bbbbb:cccc" source_domain="$token_source_domain$" AND ( mid="$token_mid$" OR "MID $token_mid$")
qry2=index=fed:xxx_yyyy sourcetype="aaaaa:bbbbb:cccc" source_domain="$token_source_domain$" AND (icid="$token_icid$" OR mid="$token_mid$" OR "MID $token_mid$")
if "$token_icid$==0 execute qry1 else execute qry2
How it can be achieve ?

Chatgtp give this answer but not working
index=fed:xxx_yyyy sourcetype="aaaaa:bbbbb:cccc" source_domain="$token_source_domain$" AND ( (($token_icid$=="0") AND (mid="$token_mid$")) OR (($token_icid$!="0") AND (icid="$token_icid$")) OR mid="$token_mid$" OR "MID $token_mid$" )

bowesmana · ‎02-25-2024

If you post your existing XML it would be helpful, but I am assuming you have something like

<drilldown>
  <set token="token_icid">$row.icid$</set>
</drilldown>

so there are a number of ways to do what you want, but one way is to make and additional constraint for icid that is either empty or the check, as the rest of the search is the same.

<drilldown>
  <set token="token_icid">$row.icid$</set>
  <eval token="token_query">if($row.icid$=0, "icid=\"".$row.icid$."\" OR ", "")</eval>
</drilldown>

Then your search can be

index=fed:xxx_yyyy sourcetype="aaaaa:bbbbb:cccc" source_domain="$token_source_domain$" AND ($token_query$ mid="$token_mid$" OR "MID $token_mid$")

so you just add $token_query$ which is either empty or the addition icid constraint.

View solution in original post

bowesmana · ‎02-25-2024

If you post your existing XML it would be helpful, but I am assuming you have something like

<drilldown>
  <set token="token_icid">$row.icid$</set>
</drilldown>

so there are a number of ways to do what you want, but one way is to make and additional constraint for icid that is either empty or the check, as the rest of the search is the same.

<drilldown>
  <set token="token_icid">$row.icid$</set>
  <eval token="token_query">if($row.icid$=0, "icid=\"".$row.icid$."\" OR ", "")</eval>
</drilldown>

Then your search can be

index=fed:xxx_yyyy sourcetype="aaaaa:bbbbb:cccc" source_domain="$token_source_domain$" AND ($token_query$ mid="$token_mid$" OR "MID $token_mid$")

so you just add $token_query$ which is either empty or the addition icid constraint.

emilep · ‎02-26-2024

Problem solved.
Many thanks for your help.

yuanliu · ‎02-25-2024

Before volunteers can help you achieve something, you need to explain what is it that you are trying to achieve without SPL (or ChatGPT).

What do you mean "in a drilldown?" You can have a drilldown only when you have an initial search (in a dashboard panel). What are the output of that search look like? Your code snippets suggest that you want to set tokens from that output. Is this correct? Which column from the initial search is designated to populate which token?
What do you mean by "2 possible queries" when you "have a (aka ONE) drilldown?" Do you mean you have two other panels on the same dashboard that could use the token(s) populated by this drilldown?
Again, take away SPL, can you illustrate some data from the initial panel (anonymize as needed), then illustrate (aka tabulate) the end state of the two panels you wish to alter with this drilldown, and explain how the data is related to the end state (without SPL)?
If any SPL is "not working", you need to explain/illustrate data, then describe/illustrate actual output, illustrate expected output, explain why it is reasonable to arrive at that expected output. Sometimes you also need to explain how the two outputs are different if it is not painfully obvious.

Drill Down and conditional queries

table

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?