Splunk Search

How to write a search that says if the host equals this run this search or if the host equals this run this search.

Jewatson17
Path Finder

I want to write a search where i can use windows and linux servers. I want to have two searches in one, but I want only a set of hosts o use this search and another set of different searches use this search. need it for dropdown input on dashboard. Please help.

0 Karma

elliotproebstel
Champion

I would use two tokens: $windows_search$ and $linux_search$. Depending on which host was selected in the list, I'd set one of those tokens and unset the other, and then I'd use a depends clause to display the appropriate panel, with its respective search. Here's a demo of what I'm describing. You can create a test dashboard on your search head and paste this code in directly to test/play, as it's written to run anywhere:

<form>
  <label>test_dropdown</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="tok_host">
      <label>host</label>
      <choice value="win1">win1</choice>
      <choice value="win2">win2</choice>
      <choice value="lin1">lin1</choice>
      <change>
        <condition label="win1">
          <set token="windows_search">1</set>
          <unset token="linux_search"></unset>
        </condition>
        <condition label="win2">
          <set token="windows_search">1</set>
          <unset token="linux_search"></unset>
        </condition>
        <condition label="lin1">
          <set token="linux_search">1</set>
          <unset token="windows_search"></unset>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel depends="$windows_search$">
      <table>
        <search>
          <query>|stats count |eval name="I'm a windows search", selected_host=$tok_host|s$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$linux_search$">
      <table>
        <search>
          <query>|stats count |eval name="I'm a linux search", selected_host=$tok_host|s$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

Jewatson17
Path Finder

I have multiple hosts. How will I do it foe about 30 windows servers and 30 linux servers. Would I have to create a condition for each server?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...