Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Executing Conditional Queries in Splunk Based on Input Value

taruntalreja
New Member
‎10-30-2024 07:44 AM

I have two query in splunk query 1 and query 2 and an input. Based on the input, i need to execute either query 1 or query 2. I am trying something like below query but it is not working for me.

 

| makeresults
| eval myInput="*"

| append [
search "my search related to query 1"
| rex field=_raw "Job id : (?<job_id>[^,]+)"
| where myInput="*"
| eval query_type="query1"
| table job_id, query_type, myInput
]
| append [
search "my search related to query 2"
| rex field=_raw "Job id : (?<job_id>[^,]+)"
| where myInput!="*"
| eval query_type="query2"
| table job_id, query_type, myInput
]

 




Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-31-2024 06:14 AM

SPL does not support conditional execution of commands.  It can be simulated in a dashboard by setting a token to the desired search string and referencing the token in the query.

<fieldset>
  <input token="myInput"...>
    <change>
      <condition match="<<option 1>>">
        <set token="query">SPL for option 1</set>
      </condition>
      <condition match="<<option 2>>">
        <set token="query">SPL for option 2></set>
      </condition>
    </change>
  </input>
</fieldset>
...
<row>
  <panel>
    <table>
      <search>
        <query>$query$</query>
      </search>
    </table>
  </panel>
</row>
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

alexandarmatev1
Loves-to-Learn
‎10-30-2024 09:53 AM 
| makeresults
| eval myInput="*"

| append [
    | search "my search related to query 1"
    | rex field=_raw "Job id : (?<job_id>[^,]+)"
    | eval query_type=if(myInput="*", "query1", null())
    | where query_type="query1"
    | table job_id, query_type, myInput
]

| append [
    | search "my search related to query 2"
    | rex field=_raw "Job id : (?<job_id>[^,]+)"
    | eval query_type=if(myInput!="*", "query2", null())
    | where query_type="query2"
    | table job_id, query_type, myInput
]
0 Karma
Reply

taruntalreja
New Member
‎10-30-2024 10:11 AM

This solution does not work, I am getting empty result. I think there is an issue and myInput variable is not passed in append. One more issue with this solution is that both the queries will be running but we know beforehand which query to run, so I am looking for some optimized solution where only 1 query is ran based on the filter.

0 Karma
Reply

alexandarmatev1
Loves-to-Learn
‎10-30-2024 11:03 AM

Why don't you try with macros and if, case statement? 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...