Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to execute/ignore block of code based on token values?

jonvijay1993
Explorer
‎05-17-2023 06:31 AM

I have a union [] command that I want to execute only if a check box is checked, how can I manage this? SPL2 branch doesn't work on my dashboard for some reason and the eval if else only works for assigning a value to a var, what options do I have now?

 

| search | if value = 'so and so' execute union [sql]

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-17-2023 07:41 AM

You want to add a change handler to the checkbox so that if the box is not checked, it sets the token to "```" and if it is checked, it sets it to ""

| search | appendpipe [$checkboxtoken$ | spl for additional events $checkboxtoken$]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-17-2023 07:18 AM

SPL is not a procedural language.

Depending on you actual usecase, you could set a token value based on whether the check box is checked which includes all the SPL you want included in your search, and then just use this token in the search.

Reply
Solved! Jump to solution

jonvijay1993
Explorer
‎05-17-2023 07:24 AM

I am doing that right now, and it's messy, very messy because my block of code is large and has many other tokens in it. It's just a big mess.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-17-2023 07:33 AM

Another possibility is that you use appendpipe with a where clause to evaluate whether the token is set at the beginning and the rest of the SPL following the where clause

More than one way to skin a cat!

0 Karma
Reply
Solved! Jump to solution

jonvijay1993
Explorer
‎05-17-2023 07:36 AM

can you give me an example in code, this seems interesting
this method of skinning a cat seems interesting 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-17-2023 07:42 AM 
| search | appendpipe [| where $token$="value meaning execute SPL" | spl to execute]
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-17-2023 07:41 AM

You want to add a change handler to the checkbox so that if the box is not checked, it sets the token to "```" and if it is checked, it sets it to ""

| search | appendpipe [$checkboxtoken$ | spl for additional events $checkboxtoken$]
0 Karma
Reply
Solved! Jump to solution

jonvijay1993
Explorer
‎05-24-2023 01:46 AM

Hi, I found another solution to my issue that doesn't require me to have the 2nd block of code in the first place. But if I did go ahead with that block I'd have chosen this method. Thanks!

0 Karma
Reply
Solved! Jump to solution

jonvijay1993
Explorer
‎05-17-2023 07:45 AM

Is ``` some sort of commenting?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-17-2023 07:46 AM

Yes, as of Splunk version 8.something I think

Reply
Solved! Jump to solution

jonvijay1993
Explorer
‎05-17-2023 07:48 AM

I'm gonna try these and get back to you sir, May the Splunk God be with you!

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-17-2023 07:28 AM

Another possibility (untested) is that you set the value of the checkbox token to 3 backticks (denoting start/end of comment) and place the token at the beginning and end of your union commands

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...