Splunk Search

How to execute/ignore block of code based on token values?

jonvijay1993
Explorer

I have a union [] command that I want to execute only if a check box is checked, how can I manage this? SPL2 branch doesn't work on my dashboard for some reason and the eval if else only works for assigning a value to a var, what options do I have now?

 

| search | if value = 'so and so' execute union [sql]

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

You want to add a change handler to the checkbox so that if the box is not checked, it sets the token to "```" and if it is checked, it sets it to ""

| search | appendpipe [$checkboxtoken$ | spl for additional events $checkboxtoken$]

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

SPL is not a procedural language.

Depending on you actual usecase, you could set a token value based on whether the check box is checked which includes all the SPL you want included in your search, and then just use this token in the search.

jonvijay1993
Explorer

I am doing that right now, and it's messy, very messy because my block of code is large and has many other tokens in it. It's just a big mess.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Another possibility is that you use appendpipe with a where clause to evaluate whether the token is set at the beginning and the rest of the SPL following the where clause

More than one way to skin a cat!

0 Karma

jonvijay1993
Explorer

can you give me an example in code, this seems interesting
this method of skinning a cat seems interesting 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| search | appendpipe [| where $token$="value meaning execute SPL" | spl to execute]
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You want to add a change handler to the checkbox so that if the box is not checked, it sets the token to "```" and if it is checked, it sets it to ""

| search | appendpipe [$checkboxtoken$ | spl for additional events $checkboxtoken$]
0 Karma

jonvijay1993
Explorer

Hi, I found another solution to my issue that doesn't require me to have the 2nd block of code in the first place. But if I did go ahead with that block I'd have chosen this method. Thanks!

0 Karma

jonvijay1993
Explorer

Is ``` some sort of commenting?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Yes, as of Splunk version 8.something I think

jonvijay1993
Explorer

I'm gonna try these and get back to you sir, May the Splunk God be with you!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Another possibility (untested) is that you set the value of the checkbox token to 3 backticks (denoting start/end of comment) and place the token at the beginning and end of your union commands

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...