Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show search on condition - do not show or erase/delete on other condition?

eholz1
Builder
‎10-11-2022 09:22 AM

Hello All,

I have been searching for "how to" but not had much luck. I have this search: I run it realtime, and test with fixed time range (like 15 min,. etc)

 

sourcetype=linux_secure eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UsaerAction) by Date,host,user,UserAction | sort - Date

 

This search gives me a user, a host, and a "on" if user logs on and an "Off" if user logs off.

I would like to not show the "Off" condition when the user logs off - i.e. make the "On" line in the search result go away (disappear)

 

How might I do this?

thanks for a great source of info,

eholz1

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎10-26-2022 01:35 AM

Your code is almost there.  The only change you need is to use two tokens to turn on-off two panels.

<table>
<search id="log_action">
<query>sourcetype=linux_secure user=holzapfele eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UserAction) by Date,host,user | sort - Date
| where 'last(UserAction)' == "Off" OR 'last(UserAction)' == "On" </query>
<earliest>-15m@m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
<progress>
<condition match="$result.last(UserAction)$==Off">
<set token="show_panel1">true</set>
<unset token="show_panel2"></unset>
</condition>
<condition match="$result.last(UserAction)$==On">
<set token="show_panel2">false</set>
<unset token="show_panel1"></unset>
</condition>
</progress>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>

Note, the value of $show_panel1$ and $show_panel2$ doesn't matter.  All that matters is whether one or the other is set/unset.  After this, you create the other two panels with "depends" attribute with respective tokens as value like this

<panel depends=$show_panel1$>
  <title>this is panel 1</title>
  ...
</panel>
<panel depends=$show_panel2$>
  <title>this is panel 2</title>
  ...
</panel>

(See Show or hide content.)

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎10-11-2022 01:20 PM

I'm unsure about the exact requirement.  Why would you need to groupby a field that you are seeking latest of?

sourcetype=linux_secure eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UserAction) by Date,host,user | sort - Date
| where 'last(UserAction)' == "Off"

or, if you want the column name to be UserAction, use AS 

sourcetype=linux_secure eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UserAction) as UserAction by Date,host,user | sort - Date
| where UserAction == "Off"
Reply
Solved! Jump to solution

eholz1
Builder
‎10-20-2022 12:55 PM

Hello,

I am trying to hide or show a panel depending on a search result.

I have this search
sourcetype=linux_secure user=smith eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UserAction) by Date,host,user | sort - Date
| where 'last(UserAction)' == "Off" OR 'last(UserAction)' == "On"

the search returns "On" or "Off" as the last "UserAction"

I have two panels, panel1 and panel2
If the search in panel1 gives "On" for the result for user "smith", I want to show panel2

then "smith" logs off...

then if I rerun the search in panel1 and it returns UserAction == "Off" I want to hide panel2

So far no luck in understanding match for the search result or eval for the search result

Here is my logic:

<table>
<search id="log_action">
<query>sourcetype=linux_secure user=holzapfele eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UserAction) by Date,host,user | sort - Date
| where 'last(UserAction)' == "Off" OR 'last(UserAction)' == "On" </query>
<earliest>-15m@m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
<progress>
<condition match="$result.last(UserAction)$==Off">
<set token="hide_panel">true</set>
<unset token="hide_panel"></unset>
</condition>
<condition match="$result.last(UserAction)$==On">
<set token="hide_panel">false</set>
<unset token="hide_panel"></unset>
</condition>
</progress>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>

I am not desiring to use any inputs here for a form, like drop downs, etc

I do know I am not understanding the use of the SimpleXML tags, etc. like <done> or result vs. job, etc

any suggestions will help,

Thanks Again,

eholz1

 

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎10-26-2022 01:35 AM

Your code is almost there.  The only change you need is to use two tokens to turn on-off two panels.

<table>
<search id="log_action">
<query>sourcetype=linux_secure user=holzapfele eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UserAction) by Date,host,user | sort - Date
| where 'last(UserAction)' == "Off" OR 'last(UserAction)' == "On" </query>
<earliest>-15m@m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
<progress>
<condition match="$result.last(UserAction)$==Off">
<set token="show_panel1">true</set>
<unset token="show_panel2"></unset>
</condition>
<condition match="$result.last(UserAction)$==On">
<set token="show_panel2">false</set>
<unset token="show_panel1"></unset>
</condition>
</progress>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>

Note, the value of $show_panel1$ and $show_panel2$ doesn't matter.  All that matters is whether one or the other is set/unset.  After this, you create the other two panels with "depends" attribute with respective tokens as value like this

<panel depends=$show_panel1$>
  <title>this is panel 1</title>
  ...
</panel>
<panel depends=$show_panel2$>
  <title>this is panel 2</title>
  ...
</panel>

(See Show or hide content.)

Tags (1)
Reply
Solved! Jump to solution

eholz1
Builder
‎10-26-2022 01:21 PM

OK , Thanks Again,

I will review things, and give it a shot. 

I do appreciate the reponses - Next I realized I may have to do this row by row 🙂

 

eholz1

0 Karma
Reply
Solved! Jump to solution

eholz1
Builder
‎10-17-2022 01:36 PM

Thanks

eholz1

0 Karma
Reply
Solved! Jump to solution

eholz1
Builder
‎10-11-2022 03:08 PM

Hello

Thanks for the reply. I will check your revision and see what happens. I have also seen how to hide a dashboard panel, but cannot get that to work with way I want.

 

Thanks,

eholz

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...