Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Passing a diffrent base search based on the selection of input dropdown

smanojkumar
Contributor
‎10-29-2024 03:29 AM

Hello Splunkers,

   I would like to pass the two base search when input dropdown is set as all, i need to pass a base search, when other values apart from all is selected, it need to pass a diffrent base search.


Thanks!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-29-2024 07:45 AM

What do you mean by "pass the two base search"? Pass them where? How are you trying to use base searches? Please provide more specific examples of what you are trying to do, as your current question is too ill-defined to be able to provide a meaningful answer

0 Karma
Reply

smanojkumar
Contributor
‎10-29-2024 08:43 AM

Hello @ITWhisperer ,

   I would like to pass based search to panels in dashboard


 

<search id="base_search_1">
<query>
index=$siteid$ sourcetype=log*  values IN (Ax01, Ms09)
.....
| table *
</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
</search>
<search id="base_search_2">
<query>
index=$siteid$ sourcetype=log* Values IN (*)
.....
| table *
</query>
<earliest>$time_token.earliest$</earliest>

 



I need to pass base_search_1 when a inut drodpown is selected with "All", when other values are selected in the input dropdown, it need to pass base_search_2 to the panel in dashboard.

thanks!
<latest>$time_token.latest$</latest>
</search>

the reason why i choose this is, Actually we are having a input dropdown field which may be empty at some time also we are filtering only head 10000 records as per need, So when the input dropdown field is selected with "All" values, we don't have any issues either the field can be with values or can be empty but when the inputdropdown field is having spome field values to be filtered then empty field should not be giving proper results, so instead of head 10000, we need to filter non empty values of 10k, rather than head 10k, also please suggest other possible efiicient way to do this.

thanks!

0 Karma
Reply

smanojkumar
Contributor
‎10-29-2024 08:58 PM

Hello @ITWhisperer ,

    Hope i have added more information, please let me know if i need to add any other info.


Actual need is, I'm having a field where sometimes i will get empty value, When i'm selecting All in input drodown the values can be anything, it can be empty as well but when we choose any specific value in input drodown, we don't need to consider empty values, so I planned to create 2 base searches, one is when we choose all in input drodown, other is when we choose any values apart from All in input drodown, Since when we are choosing any other values in input drodown,  we can use

| where isnotnull(field_name)
| head 10000

which is not needed when we are selecting all in inputdrodown, since the data volume is huge .

thanks!

thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...