Re: How to search based on drop-down condition?

LearningGuy · ‎03-19-2024

Hello,

How to search based on drop-down condition?
Thank you in advance!

index = test
| eval   week_or_day_token = "w"     (Drop down: if select "week" = "w",   "day" = "d)     

| eval   day_in_week_token = 1           (Drop down:  if select 0=Sunday, 1=Monday, 2=Tuesday, and so on)

If week_or_day_token is "week", then use day_in_week_token, otherwise if week_or_day_token is "day" , then use all day *

| eval   day_in_week =  if(week_or_day_token="w",    day_in_week_token,   "*")

Get what day number in week on each timestamp

| eval  day_no_each_timestamp  = strftime(_time, "%" + day_in_week_token)

I searched the timestamp that falls on Monday (day_in_week=1), but I got 0 events

| search  day_no_each_timestamp = day_in_week

If I replaced it with "1", it worked, although the value day_in_week is 1

| search  day_no_each_timestamp = "1"

Gr0und_Z3r0 · ‎03-20-2024

Hi @LearningGuy

Not sure if I understand your requirement correctly. But below maybe something you can use.

<form version="1.1">
  <label>Dropdown-token-condition</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="token_week_or_day" searchWhenChanged="true">
      <label>Week Or Day</label>
      <choice value="w">Week</choice>
      <choice value="d">Day</choice>
    </input>
    <input type="dropdown" token="token_day" searchWhenChanged="true">
      <label>Day Number</label>
      <choice value="0">Sunday</choice>
      <choice value="1">Monday</choice>
      <choice value="2">Tuesday</choice>
      <choice value="3">Wednesday</choice>
      <choice value="4">Thursday</choice>
      <choice value="5">Friday</choice>
      <choice value="6">Saturday</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults 
| eval selected_week_or_day_option="$token_week_or_day$" 
| eval selected_day=$token_day$ 

| table _time selected_week_or_day_option selected_day date_day  
| eval day_no_each_timestamp=strftime(_time,"%w") 
| eval day_in_week = if(selected_week_or_day_option="w", $token_day$, "*")</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

If the reply helps, a Karma vote would be appreciated.

LearningGuy · ‎03-20-2024

Hello,

Thank you so much for your response.
The query that contain the search is actually in the statistic table, but the condition is a condition based on the drop down token.

This is the main question:
How to dynamically search / where based on variable like below?

| search  day_no_each_timestamp = day_in_week

OR

| where day_no_each_timestamp = day_in_week

How to search based on drop-down condition?

eval

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation