Re: How to create a search based on a conditional ...

rubyboomslang · ‎06-19-2017

Psuedocode:

If dashboard token is empty, run X search.
If token is not empty, run Y search.

if($field$ is omitted)
  search index=index1 (other conditions)
else
  search index=index1 field2=$field$)

How do I write this as a Splunk search?

horsefez · ‎06-19-2017

Hi,

could this help you any further?

      <input type="dropdown" token="xyz_application">
        <label>XYZ_Application</label>
        <default>Splunk</default>
        <fieldForLabel>Application</fieldForLabel>
        <fieldForValue>xyz_application</fieldForValue>
        <search>
          <query>index=someindex | dedup xyz_application | sort xyz_application</query>
          <earliest>-60d</earliest>
          <latest>now</latest>
        </search>
      </input>

This searches for "Splunk" as default application or something else, when you specify another one.
You can then simply transfer this token into another panel search or so.

How to create a search based on a conditional dashboard token value?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

How to create a search based on a conditional dashboard token value?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...