Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Return fields based on boolean value

hegga
Explorer
‎07-13-2017 01:21 AM

Hi,

I have a saved search used by a dashboard which should return different fields based on the boolean value of a string. For example:

if $show_raw_log$ == 1 do
   | fields _raw

if $show_raw_log$ == 0 do
   | fields _time,  sender, recipient, message_subject, attachment, vendor_action, message_id
   | fields - _raw

How can I achieve this in Splunk?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎07-13-2017 10:54 PM

@hegga, more details please. What sets the Boolean value $show_raw_log$, is it going to be a form input, a search or a drilldown event?

In any case you can use eval tag to set a query string token to be passed to your actual search.

<eval token="queryString">if($show_raw_log$==1, "| fields _raw", "| fields _time,  sender, recipient, message_subject, attachment, vendor_action, message_id | fields - _raw")</eval>

Then use token queryString in your actual search.
PS: Where ever in your current code you are setting $show_raw_log$ eval tag similar to the one above needs to be added, which implies $show_raw_log$ might not exist or may be represented by some other field/value or token.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎07-13-2017 10:54 PM

@hegga, more details please. What sets the Boolean value $show_raw_log$, is it going to be a form input, a search or a drilldown event?

In any case you can use eval tag to set a query string token to be passed to your actual search.

<eval token="queryString">if($show_raw_log$==1, "| fields _raw", "| fields _time,  sender, recipient, message_subject, attachment, vendor_action, message_id | fields - _raw")</eval>

Then use token queryString in your actual search.
PS: Where ever in your current code you are setting $show_raw_log$ eval tag similar to the one above needs to be added, which implies $show_raw_log$ might not exist or may be represented by some other field/value or token.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

hegga
Explorer
‎07-21-2017 12:21 AM

Thanks @niketnilay! I'd wish you'd submitted this as an answer, so I could accept it. The boolean field is input from a checkbox in a dashboard which will be used in a search.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎07-21-2017 12:24 AM

@hegga, I have converted to answer. Please accept 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...