Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show search on condition - do not show or erase/delete on other condition?

eholz1
Builder
‎10-11-2022 09:22 AM

Hello All,

I have been searching for "how to" but not had much luck. I have this search: I run it realtime, and test with fixed time range (like 15 min,. etc)

 

sourcetype=linux_secure eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UsaerAction) by Date,host,user,UserAction | sort - Date

 

This search gives me a user, a host, and a "on" if user logs on and an "Off" if user logs off.

I would like to not show the "Off" condition when the user logs off - i.e. make the "On" line in the search result go away (disappear)

 

How might I do this?

thanks for a great source of info,

eholz1

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎10-26-2022 01:35 AM

Your code is almost there.  The only change you need is to use two tokens to turn on-off two panels.

<table>
<search id="log_action">
<query>sourcetype=linux_secure user=holzapfele eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UserAction) by Date,host,user | sort - Date
| where 'last(UserAction)' == "Off" OR 'last(UserAction)' == "On" </query>
<earliest>-15m@m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
<progress>
<condition match="$result.last(UserAction)$==Off">
<set token="show_panel1">true</set>
<unset token="show_panel2"></unset>
</condition>
<condition match="$result.last(UserAction)$==On">
<set token="show_panel2">false</set>
<unset token="show_panel1"></unset>
</condition>
</progress>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>

Note, the value of $show_panel1$ and $show_panel2$ doesn't matter.  All that matters is whether one or the other is set/unset.  After this, you create the other two panels with "depends" attribute with respective tokens as value like this

<panel depends=$show_panel1$>
  <title>this is panel 1</title>
  ...
</panel>
<panel depends=$show_panel2$>
  <title>this is panel 2</title>
  ...
</panel>

(See Show or hide content.)

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎10-11-2022 01:20 PM

I'm unsure about the exact requirement.  Why would you need to groupby a field that you are seeking latest of?

sourcetype=linux_secure eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UserAction) by Date,host,user | sort - Date
| where 'last(UserAction)' == "Off"

or, if you want the column name to be UserAction, use AS 

sourcetype=linux_secure eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UserAction) as UserAction by Date,host,user | sort - Date
| where UserAction == "Off"
Reply
Solved! Jump to solution

eholz1
Builder
‎10-20-2022 12:55 PM

Hello,

I am trying to hide or show a panel depending on a search result.

I have this search
sourcetype=linux_secure user=smith eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UserAction) by Date,host,user | sort - Date
| where 'last(UserAction)' == "Off" OR 'last(UserAction)' == "On"

the search returns "On" or "Off" as the last "UserAction"

I have two panels, panel1 and panel2
If the search in panel1 gives "On" for the result for user "smith", I want to show panel2

then "smith" logs off...

then if I rerun the search in panel1 and it returns UserAction == "Off" I want to hide panel2

So far no luck in understanding match for the search result or eval for the search result

Here is my logic:

<table>
<search id="log_action">
<query>sourcetype=linux_secure user=holzapfele eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UserAction) by Date,host,user | sort - Date
| where 'last(UserAction)' == "Off" OR 'last(UserAction)' == "On" </query>
<earliest>-15m@m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
<progress>
<condition match="$result.last(UserAction)$==Off">
<set token="hide_panel">true</set>
<unset token="hide_panel"></unset>
</condition>
<condition match="$result.last(UserAction)$==On">
<set token="hide_panel">false</set>
<unset token="hide_panel"></unset>
</condition>
</progress>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>

I am not desiring to use any inputs here for a form, like drop downs, etc

I do know I am not understanding the use of the SimpleXML tags, etc. like <done> or result vs. job, etc

any suggestions will help,

Thanks Again,

eholz1

 

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎10-26-2022 01:35 AM

Your code is almost there.  The only change you need is to use two tokens to turn on-off two panels.

<table>
<search id="log_action">
<query>sourcetype=linux_secure user=holzapfele eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UserAction) by Date,host,user | sort - Date
| where 'last(UserAction)' == "Off" OR 'last(UserAction)' == "On" </query>
<earliest>-15m@m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
<progress>
<condition match="$result.last(UserAction)$==Off">
<set token="show_panel1">true</set>
<unset token="show_panel2"></unset>
</condition>
<condition match="$result.last(UserAction)$==On">
<set token="show_panel2">false</set>
<unset token="show_panel1"></unset>
</condition>
</progress>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>

Note, the value of $show_panel1$ and $show_panel2$ doesn't matter.  All that matters is whether one or the other is set/unset.  After this, you create the other two panels with "depends" attribute with respective tokens as value like this

<panel depends=$show_panel1$>
  <title>this is panel 1</title>
  ...
</panel>
<panel depends=$show_panel2$>
  <title>this is panel 2</title>
  ...
</panel>

(See Show or hide content.)

Tags (1)
Reply
Solved! Jump to solution

eholz1
Builder
‎10-26-2022 01:21 PM

OK , Thanks Again,

I will review things, and give it a shot. 

I do appreciate the reponses - Next I realized I may have to do this row by row 🙂

 

eholz1

0 Karma
Reply
Solved! Jump to solution

eholz1
Builder
‎10-17-2022 01:36 PM

Thanks

eholz1

0 Karma
Reply
Solved! Jump to solution

eholz1
Builder
‎10-11-2022 03:08 PM

Hello

Thanks for the reply. I will check your revision and see what happens. I have also seen how to hide a dashboard panel, but cannot get that to work with way I want.

 

Thanks,

eholz

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...