How to create a search based on a conditional dash...

rubyboomslang · ‎06-19-2017

Psuedocode:

If dashboard token is empty, run X search.
If token is not empty, run Y search.

if($field$ is omitted)
  search index=index1 (other conditions)
else
  search index=index1 field2=$field$)

How do I write this as a Splunk search?

horsefez · ‎06-19-2017

Hi,

could this help you any further?

      <input type="dropdown" token="xyz_application">
        <label>XYZ_Application</label>
        <default>Splunk</default>
        <fieldForLabel>Application</fieldForLabel>
        <fieldForValue>xyz_application</fieldForValue>
        <search>
          <query>index=someindex | dedup xyz_application | sort xyz_application</query>
          <earliest>-60d</earliest>
          <latest>now</latest>
        </search>
      </input>

This searches for "Splunk" as default application or something else, when you specify another one.
You can then simply transfer this token into another panel search or so.

How to create a search based on a conditional dashboard token value?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation