Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search based on drop-down condition?

LearningGuy
Motivator
‎03-19-2024 11:57 AM

Hello,

How to search based on drop-down condition?
Thank you in advance!

index = test
| eval   week_or_day_token = "w"     (Drop down: if select "week" = "w",   "day" = "d)     

| eval   day_in_week_token = 1           (Drop down:  if select 0=Sunday, 1=Monday, 2=Tuesday, and so on)



If  week_or_day_token  is "week", then use day_in_week_token, otherwise if  week_or_day_token is "day" , then use all day *

| eval   day_in_week =  if(week_or_day_token="w",    day_in_week_token,   "*")



Get what day number in week on each timestamp

| eval  day_no_each_timestamp  = strftime(_time, "%" + day_in_week_token)


I searched the timestamp that falls on Monday (day_in_week=1), but I got 0 events

| search  day_no_each_timestamp = day_in_week


If I replaced it with "1", it worked, although the value day_in_week is 1

| search  day_no_each_timestamp = "1"



Labels (2)
Labels
0 Karma
Reply

Gr0und_Z3r0
Contributor
‎03-20-2024 05:03 AM

Hi @LearningGuy 

Not sure if I understand your requirement correctly. But below maybe something you can use.

<form version="1.1">
  <label>Dropdown-token-condition</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="token_week_or_day" searchWhenChanged="true">
      <label>Week Or Day</label>
      <choice value="w">Week</choice>
      <choice value="d">Day</choice>
    </input>
    <input type="dropdown" token="token_day" searchWhenChanged="true">
      <label>Day Number</label>
      <choice value="0">Sunday</choice>
      <choice value="1">Monday</choice>
      <choice value="2">Tuesday</choice>
      <choice value="3">Wednesday</choice>
      <choice value="4">Thursday</choice>
      <choice value="5">Friday</choice>
      <choice value="6">Saturday</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults 
| eval selected_week_or_day_option="$token_week_or_day$" 
| eval selected_day=$token_day$ 

| table _time selected_week_or_day_option selected_day date_day  
| eval day_no_each_timestamp=strftime(_time,"%w") 
| eval day_in_week = if(selected_week_or_day_option="w", $token_day$, "*")</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

If the reply helps, a Karma vote would be appreciated.



Reply

LearningGuy
Motivator
‎03-20-2024 05:15 AM

Hello,

Thank you so much for your response.
The query that contain the search is actually in the statistic table, but the condition is a condition based on the drop down token.

This is the main question:
How to dynamically search / where based on variable like below?

| search  day_no_each_timestamp = day_in_week

OR

| where day_no_each_timestamp = day_in_week

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...