Splunk Search

How to run search based on a condition?

rarangarajanspl
Explorer

I have a couple of search queries to execute based on certain conditions. A search query in my dashboard is getting executed, before clicking the submit button. I have used fieldset submitButton="true" autoRun="false".

respective search query should be executed, based on the radio button selection and on click of submit button.I want to run the input query, once the input radio button is selected and the submit button is clicked. Attached Screenshots.

Dashboard: Once I open the dashboard, it has a couple of radio buttons (Input and Output) with the submit button. Once I click the input radio button, Input Panel displayed with 6 text fields & submit button (invokes input search query). Once I click the output radio button, Output Panel displayed with 6 text fields & submit button (invokes output search query)

<form>
<label>DemoDashBoard1</label>
<fieldset submitButton="true"  autoRun="false">
  <input type="radio" token="searchBy" searchWhenChanged="false">  <label>SearchBy</label>  <choice value="1">Input</choice>
    <choice value="2">Output</choice>
    <change>
      <condition value="1">
        <set token="tkninput">true</set>
        <unset token="tknoutput"></unset>
      </condition>
      <condition value="2">
        <set token="tknoutput">true</set>
        <unset token="tkninput"></unset>
      </condition>
    </change>
  </input>
  <input type="text" token="EventType" depends="$tkninput$">
    <label>EventType</label>
    <default></default>
    <change>
       <condition value="">
         <set token="EventType">*</set>
       </condition>
     </change>
  </input>
         <input type="text" token="businessEventTrigger"  depends="$tknoutput$">
    <label>businessEventTrigger</label>
    <default></default>
    <change>
       <condition value="">
         <set token="businessEventTrigger">*</set>
       </condition>
     </change>
  </input>
      </fieldset>
<search>
   <query> host= "tnt_log_mar" | xmlkv maxinputs=10000 | rename "nspJ:TOR010Id" as TORID "nspMMM:EventType" as EventType | search ns0:ProcessId (EventType=$EventType$ OR businesseventtrigger) | table ns0:ProcessId EventType TORID nspM:SEC010Id nsSec:BUL010OrigId nsSec:BUL010DestinationId nspM:SequencingNr businessEventTrigger rocsTourId rocsMovementId rocsOriginId rocsDestinationId  tripLegSeqNbr  publishCd routeNm firstLegSchedDprtTmstp firstLegOrigin tripLegSeqNbr origin destination schedDprtTmstp estDprtTmstp  | selfjoin  ns0:ProcessId | dedup ns0:ProcessId</query>
   <done>
     <condition match="$job.doneProgress$=1">
       <set token="inputQuery">$result.search$</set>
     </condition>
   </done>
 </search>    
 <row>
  <panel depends="$tkninput$">
      <title>Input Panel</title>
    <table>          
      <search>
        <query>$inputQuery$</query>
      </search>
      <option name="count">20</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">none</option>
      <option name="percentagesRow">false</option>
      <option name="rowNumbers">false</option>
      <option name="totalsRow">false</option>
      <option name="wrap">true</option>
    </table>
  </panel>
  <panel depends="$tknoutput$">
    <title>Output Panel</title>
    <table>
      <search>
        <query>
    host= "tnt_log_mar" |  xmlkv maxinputs=10000 | rename "nspJ:TOR010Id" as TORID "nspMMM:EventType" as EventType | search ns0:ProcessId (EventType OR businessEventTrigger=$businessEventTrigger$) | table ns0:ProcessId EventType TORID nspM:SEC010Id nsSec:BUL010OrigId nsSec:BUL010DestinationId nspM:SequencingNr businessEventTrigger rocsTourId rocsMovementId rocsOriginId rocsDestinationId  tripLegSeqNbr  publishCd routeNm firstLegSchedDprtTmstp firstLegOrigin tripLegSeqNbr origin destination schedDprtTmstp estDprtTmstp  | selfjoin  ns0:ProcessId| dedup ns0:ProcessId
</query>
      </search>
      <option name="count">20</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">none</option>
      <option name="percentagesRow">false</option>
      <option name="rowNumbers">false</option>
      <option name="totalsRow">false</option>
      <option name="wrap">true</option>    
    </table>
  </panel>
</row>    
</form>
0 Karma

DalJeanis
Legend

As long as at least one token in each search is unset, the search will not run. So, whenever the search by token changes, unset both the tokens for the next level down.

My guess of how you can use this: Remove the defaults for each, unset each on init and whenever the radio button is clicked, something like this...

<form>
 <label>DemoDashBoard1</label>
 <init>
     <unset token="EventType"></unset>
     <unset token="businessEventTrigger"></unset>
 </init>
 <fieldset submitButton="true"  autoRun="false">
   <input type="radio" token="searchBy" searchWhenChanged="false">  <label>SearchBy</label>  <choice value="1">Input</choice>
     <choice value="2">Output</choice>
     <change>
       <condition value="1">
         <set token="tkninput">true</set>
         <unset token="tknoutput"></unset>
         <unset token="EventType"></unset>
         <unset token="businessEventTrigger"></unset>
       </condition>
       <condition value="2">
         <set token="tknoutput">true</set>
         <unset token="tkninput"></unset>
         <unset token="EventType"></unset>
         <unset token="businessEventTrigger"></unset>
       </condition>
     </change>
   </input>
   <input type="text" token="EventType" depends="$tkninput$">
     <label>EventType</label>
     <change>
        <condition value="">
          <set token="EventType">*</set>
        </condition>
      </change>
   </input>
          <input type="text" token="businessEventTrigger"  depends="$tknoutput$">
     <label>businessEventTrigger</label>
     <change>
        <condition value="">
          <set token="businessEventTrigger">*</set>
        </condition>
      </change>
   </input>
       </fieldset>
0 Karma

rarangarajanspl
Explorer

Hello DalJeanis - Thanks for your response. Make sense to unset a token.
I was able to run the search based on independent search which is outside of panel.
1. independent search is based out of radio button (1,2)
2. I was setting/un-setting tokens (inputSearchQryTkn and outputSearchQryTkn) based on the independent search. Respective search query depends on the respective token.

<form>
  <label>Test Search Query</label>
  <search>
    <query>| makeresults
           | eval x=$searchBy|s$
           </query>
    <done>
      <condition match="$result.x$==&quot;1&quot;">
        <set token="tokPanelSelected">1</set>
        <set token="inputSearchQryTkn">ip</set>
        <unset token="outputSearchQryTkn"></unset>
      </condition>
      <condition match="$result.x$==&quot;2&quot;">
        <set token="tokPanelSelected">2</set>
        <unset token="inputSearchQryTkn"></unset>
        <set token="outputSearchQryTkn">op</set>
      </condition>
      <condition>
        <unset token="tokPanelSelected"></unset>
      </condition>
    </done>
  </search>
  <fieldset submitButton="true" autoRun="false">
    <input type="radio" token="searchBy" searchWhenChanged="false" id="radioTxt">
      <label>SearchBy</label>
      <choice value="1">Input Parameters</choice>
      <choice value="2">Output Parameters</choice>
      <change>
        <condition value="1">
          <set token="tkninput">true</set>
          <unset token="tknoutput"></unset>
        </condition>
        <condition value="2">
          <set token="tknoutput">true</set>
          <unset token="tkninput"></unset>
        </condition>
      </change>
    </input>
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...