Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show search on condition - do not show or erase/delete on other condition?

eholz1
Contributor
‎10-11-2022 09:22 AM

Hello All,

I have been searching for "how to" but not had much luck. I have this search: I run it realtime, and test with fixed time range (like 15 min,. etc)

 

sourcetype=linux_secure eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UsaerAction) by Date,host,user,UserAction | sort - Date

 

This search gives me a user, a host, and a "on" if user logs on and an "Off" if user logs off.

I would like to not show the "Off" condition when the user logs off - i.e. make the "On" line in the search result go away (disappear)

 

How might I do this?

thanks for a great source of info,

eholz1

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎10-26-2022 01:35 AM

Your code is almost there.  The only change you need is to use two tokens to turn on-off two panels.

<table>
<search id="log_action">
<query>sourcetype=linux_secure user=holzapfele eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UserAction) by Date,host,user | sort - Date
| where 'last(UserAction)' == "Off" OR 'last(UserAction)' == "On" </query>
<earliest>-15m@m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
<progress>
<condition match="$result.last(UserAction)$==Off">
<set token="show_panel1">true</set>
<unset token="show_panel2"></unset>
</condition>
<condition match="$result.last(UserAction)$==On">
<set token="show_panel2">false</set>
<unset token="show_panel1"></unset>
</condition>
</progress>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>

Note, the value of $show_panel1$ and $show_panel2$ doesn't matter.  All that matters is whether one or the other is set/unset.  After this, you create the other two panels with "depends" attribute with respective tokens as value like this

<panel depends=$show_panel1$>
  <title>this is panel 1</title>
  ...
</panel>
<panel depends=$show_panel2$>
  <title>this is panel 2</title>
  ...
</panel>

(See Show or hide content.)

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎10-11-2022 01:20 PM

I'm unsure about the exact requirement.  Why would you need to groupby a field that you are seeking latest of?

sourcetype=linux_secure eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UserAction) by Date,host,user | sort - Date
| where 'last(UserAction)' == "Off"

or, if you want the column name to be UserAction, use AS 

sourcetype=linux_secure eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UserAction) as UserAction by Date,host,user | sort - Date
| where UserAction == "Off"
Reply
Solved! Jump to solution

eholz1
Contributor
‎10-20-2022 12:55 PM

Hello,

I am trying to hide or show a panel depending on a search result.

I have this search
sourcetype=linux_secure user=smith eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UserAction) by Date,host,user | sort - Date
| where 'last(UserAction)' == "Off" OR 'last(UserAction)' == "On"

the search returns "On" or "Off" as the last "UserAction"

I have two panels, panel1 and panel2
If the search in panel1 gives "On" for the result for user "smith", I want to show panel2

then "smith" logs off...

then if I rerun the search in panel1 and it returns UserAction == "Off" I want to hide panel2

So far no luck in understanding match for the search result or eval for the search result

Here is my logic:

<table>
<search id="log_action">
<query>sourcetype=linux_secure user=holzapfele eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UserAction) by Date,host,user | sort - Date
| where 'last(UserAction)' == "Off" OR 'last(UserAction)' == "On" </query>
<earliest>-15m@m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
<progress>
<condition match="$result.last(UserAction)$==Off">
<set token="hide_panel">true</set>
<unset token="hide_panel"></unset>
</condition>
<condition match="$result.last(UserAction)$==On">
<set token="hide_panel">false</set>
<unset token="hide_panel"></unset>
</condition>
</progress>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>

I am not desiring to use any inputs here for a form, like drop downs, etc

I do know I am not understanding the use of the SimpleXML tags, etc. like <done> or result vs. job, etc

any suggestions will help,

Thanks Again,

eholz1

 

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎10-26-2022 01:35 AM

Your code is almost there.  The only change you need is to use two tokens to turn on-off two panels.

<table>
<search id="log_action">
<query>sourcetype=linux_secure user=holzapfele eventtype="ssh_open" OR eventtype="ssh_close" | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval UserAction=case(eventtype="ssh_open","On",eventtype="ssh_close","Off",1==1,UserAction)
| stats last(UserAction) by Date,host,user | sort - Date
| where 'last(UserAction)' == "Off" OR 'last(UserAction)' == "On" </query>
<earliest>-15m@m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
<progress>
<condition match="$result.last(UserAction)$==Off">
<set token="show_panel1">true</set>
<unset token="show_panel2"></unset>
</condition>
<condition match="$result.last(UserAction)$==On">
<set token="show_panel2">false</set>
<unset token="show_panel1"></unset>
</condition>
</progress>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>

Note, the value of $show_panel1$ and $show_panel2$ doesn't matter.  All that matters is whether one or the other is set/unset.  After this, you create the other two panels with "depends" attribute with respective tokens as value like this

<panel depends=$show_panel1$>
  <title>this is panel 1</title>
  ...
</panel>
<panel depends=$show_panel2$>
  <title>this is panel 2</title>
  ...
</panel>

(See Show or hide content.)

Tags (1)
Reply
Solved! Jump to solution

eholz1
Contributor
‎10-26-2022 01:21 PM

OK , Thanks Again,

I will review things, and give it a shot. 

I do appreciate the reponses - Next I realized I may have to do this row by row 🙂

 

eholz1

0 Karma
Reply
Solved! Jump to solution

eholz1
Contributor
‎10-17-2022 01:36 PM

Thanks

eholz1

0 Karma
Reply
Solved! Jump to solution

eholz1
Contributor
‎10-11-2022 03:08 PM

Hello

Thanks for the reply. I will check your revision and see what happens. I have also seen how to hide a dashboard panel, but cannot get that to work with way I want.

 

Thanks,

eholz

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...