Splunk Search

Which Condition Function for | seach based on Token should I use?

time2200
Explorer

Case Scenario:

Dashboard A is clicked, thus sending a token whose value is hostname ($hostnameToken$) to Dashboard B.

Dashboard B with the following query has received $hostnameToken$ , then used on | search host_name , when search | search query returns “Results not Found”.

        index=S score>=7.0
        | lookup A.csv IP Address as ip OUTPUTNEW Squad
        | lookup B.csv IP as ip OUTPUTNEW PIC, Email
        | lookup C.csv ip as ip OUTPUTNEW host_name

 

         IF        (true)
                | search host_name="$hostnameToken$"

       THEN DO THIS:

                 | stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as email  

                 values(Squad) as squad by ip

        ELSE   (false)
                  | eval hostToken="$hostnameToken$"
                  | lookup CortexHostIp2.csv host_name as hostToken OUTPUTNEW ip
                  | search ip=ip

              THEN DO THIS:

                       | stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email)            

                      as email values(Squad) as squad by ip

 

The next search is carried out by converting the hostname token value to IP via eval and lookup. If both ELSE conditions are not met (value is False), then the search stops.

 

Question:

How to implement conditional statements into the above query? What is the right query to use?

Labels (3)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

But changing Simple XML is perhaps the least complex solution, if there is an alternative one.  In fact, after reexamine your description, dashboard B probably does not need conditional token setting.  Instead, you need to separate panels to handle the two conditions, because your base search, i.e.,

 

 

        index=S score>=7.0
        | lookup A.csv IP Address as ip OUTPUTNEW Squad
        | lookup B.csv IP as ip OUTPUTNEW PIC, Email
        | lookup C.csv ip as ip OUTPUTNEW host_name

 

 

generally returns some events matching host_name="$hostnameToken$", some not.  (If this is not true, you can go back to setting dynamic panels.)  You need two panels in order to show all conditions.

Consider this emulated dashboard:

 

 

<dashboard>
  <label>Search based on token</label>
  <description>https://community.splunk.com/t5/Splunk-Search/Condition-Function-for-seach-based-on-Token/</description>
  <init>
    <!-- set token="hostnameToken">host1</set -->
  </init>
  <row>
    <panel>
      <title>hostnameToken=$hostnameToken$</title>
      <html>
        <head>
          <style>
          table, th, td {
            border: 1px solid black;
          }
          </style>
        </head>
        <body>
          <p>Base search
            <pre>
index=S score&gt;=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
            </pre>
          </p>
          <p>
            Emulated output from (no filter)
          </p>
          <table>
            <tr>
              <th>Email</th>	<th>PIC</th>	<th>Squad</th>	<th>host_name</th>	<th>ip</th>	<th>plugin</th>	<th>solution</th>
            </tr>
            <tr>
              <td>email1@fake.com</td>	<td>somePIC</td>	<td>Squad1</td>	<td>host1</td>	<td>192.168.1.11</td>	<td>PluginA</td>	<td>somesolutionB</td>
            </tr>
            <tr>
              <td>email2@fake.com</td>	<td>somePIC</td>	<td>Squad1</td>	<td>host2</td>	<td>192.168.1.12</td>	<td>PluginA</td>	<td>somesolution2</td>
            </tr>
            <tr>
              <td>email3@fake.com</td>	<td>somePIC2</td>	<td>SquadB</td>	<td>host1</td>	<td>192.168.1.11</td>	<td>PluginB</td>	<td>someslutionB</td>
            </tr>
          </table>
        </body>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <title>search host_name = $hostnameToken$</title>
      <html>
        <pre>
index=S score&gt;=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
| search host_name = &#36;hostnameToken&#36;
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as email values(Squad) as squad by ip
        </pre>
        <p>renders into</p>
        <pre>
index=S score&gt;=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
| search host_name = $hostnameToken$
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as email values(Squad) as squad by ip
        </pre>
        <p>Emulated output:</p>
      </html>
      <table>
        <search>
          <query>| makeresults
| eval _raw = "dummy,host_name,ip,plugin,solution,PIC,Email,Squad
,host1,192.168.1.11,PluginA,somesolutionB,somePIC,email1@fake.com,Squad1
,host2,192.168.1.12,PluginA,somesolution2,somePIC,email2@fake.com,Squad1
,host1,192.168.1.11,PluginB,someslutionB,somePIC2,email3@fake.com,SquadB"
| multikv forceheader=1
``` the above emulates
        index=S score&gt;=7.0
        | lookup A.csv IP Address as ip OUTPUTNEW Squad
        | lookup B.csv IP as ip OUTPUTNEW PIC, Email
        | lookup C.csv ip as ip OUTPUTNEW host_name
```
| search host_name="$hostnameToken$"
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as email values(Squad) as squad by ip</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel>
      <title>search host_name != $hostnameToken$</title>
      <html>
        <p>Run your second search here.  For example,</p>
        <pre>
index=S score>=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
| search host_name="&#36;hostnameToken&#36;" OR | search host_name=""
| eval hostToken="&#36;hostnameToken&#36;"
| lookup CortexHostIp2.csv host_name as hostToken OUTPUTNEW ip
| search ip=ip ``` what is the use of alway-true search? ```
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as emailvalues(Squad) as squad by ip
        </pre>
        <p>
          which renders into
        </p>
        <pre>
index=S score>=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
| search host_name="$hostnameToken$" OR | search host_name=""
| eval hostToken="$hostnameToken$"
| lookup CortexHostIp2.csv host_name as hostToken OUTPUTNEW ip
| search ip=ip ``` what is the use of alway-true search? ```
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as emailvalues(Squad) as squad by ip
        </pre>
      </html>
    </panel>
  </row>
</dashboard>

 

 

 If you query http://localhost:8000/en-US/app/search/search_based_on_token?hostnameToken=host1, the left-hand panel (IF host_name="$hostnameToken$") shows

ip
Plugin
Solution
pic
email
squad
192.168.1.11
PluginA
PluginB
someslutionB
somesolutionB
somePIC
somePIC2
email1@fake.com
email3@fake.com
Squad1
SquadB
ipPluginSolutionpicemailsquad
192.168.1.12PluginAsomesolution2somePICemail2@fake.comSquad1
 
Then, http://localhost:8000/en-US/app/search/search_based_on_token?hostnameToken=host3 has no return in the left-hand side panel.  If you want to not run the search and hide the panel when this happens, you can set and unset conditional tokens and follow Show or hide content.

View solution in original post

time2200
Explorer

index=S score>=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
| search host_name="$hostnameToken$" OR | search host_name=""
| eval hostToken="$hostnameToken$"
| lookup CortexHostIp2.csv host_name as hostToken OUTPUTNEW ip
| search ip=ip
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as emailvalues(Squad) as squad by ip

0 Karma

time2200
Explorer

this query isnt work, need any input from user in splunk community.

0 Karma

time2200
Explorer

How to implement | eval to query on the above, or any condition query?
https://community.splunk.com/t5/Splunk-Search/If-else-conditional-statements-for-search/m-p/104919#M...

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Yes, Simple XML has a <condition /> element, see condition (form input) and condition (drilldown), as well as change (form input).  But <condition /> can also be used inside <search /> directly, which is what you want to use.  The idea is to set visual elements based on that token's initial value.

Here is a dummy dashboard to play with.

<form>
  <label>Set token on load</label>
  <!-- init>
    <set token="master_token">Data Entry</set>
  </init -->
  <fieldset submitButton="false">
    <input type="dropdown" token="master_token" searchWhenChanged="true">
      <label>master token</label>
      <choice value="Data Entry">Data entry</choice>
      <choice value="Click Only">Click only</choice>
      <choice value="Attachment">Attachment</choice>
      <default>Data Entry</default>
    </input>
  </fieldset>
  <search>
    <query>
      | makeresults
      | fields - _time
      | eval master_token="$master_token$"
    </query>
    <progress>
      <condition match="master_token==&quot;Data Entry&quot;">
        <set token="data_entry">True</set>
        <unset token="attachment"></unset>
        <unset token="click_only"></unset>
      </condition>
      <condition match="master_token==&quot;Click Only&quot;">
        <set token="click_only">True</set>
        <unset token="data_entry"></unset>
        <unset token="attachment"></unset>
      </condition>
      <condition match="master_token==&quot;Attachment&quot;">
        <set token="attachment">True</set>
        <unset token="click_only"></unset>
        <unset token="data_entry"></unset>
      </condition>
    </progress>
  </search>
  <row>
    <panel>
      <html>
        <div>master_token: $master_token$</div>
        <div>data_entry: $data_entry$</div>
        <div>click_only: $click_only$</div>
        <div>attachment: $attachment$</div>
      </html>
    </panel>
  </row>
</form>

Once you set this up, you can play with it by supplying master_token in the URL, e.g., http://localhost:8000/en-US/app/search/set_token_on_load?master_token=Data%20Entry

Hope this helps.

Tags (1)
0 Karma

time2200
Explorer

thanks for responding this my post bro,
but what i mean is a fundamental change in query level, for its logic, without changing the XML.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

But changing Simple XML is perhaps the least complex solution, if there is an alternative one.  In fact, after reexamine your description, dashboard B probably does not need conditional token setting.  Instead, you need to separate panels to handle the two conditions, because your base search, i.e.,

 

 

        index=S score>=7.0
        | lookup A.csv IP Address as ip OUTPUTNEW Squad
        | lookup B.csv IP as ip OUTPUTNEW PIC, Email
        | lookup C.csv ip as ip OUTPUTNEW host_name

 

 

generally returns some events matching host_name="$hostnameToken$", some not.  (If this is not true, you can go back to setting dynamic panels.)  You need two panels in order to show all conditions.

Consider this emulated dashboard:

 

 

<dashboard>
  <label>Search based on token</label>
  <description>https://community.splunk.com/t5/Splunk-Search/Condition-Function-for-seach-based-on-Token/</description>
  <init>
    <!-- set token="hostnameToken">host1</set -->
  </init>
  <row>
    <panel>
      <title>hostnameToken=$hostnameToken$</title>
      <html>
        <head>
          <style>
          table, th, td {
            border: 1px solid black;
          }
          </style>
        </head>
        <body>
          <p>Base search
            <pre>
index=S score&gt;=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
            </pre>
          </p>
          <p>
            Emulated output from (no filter)
          </p>
          <table>
            <tr>
              <th>Email</th>	<th>PIC</th>	<th>Squad</th>	<th>host_name</th>	<th>ip</th>	<th>plugin</th>	<th>solution</th>
            </tr>
            <tr>
              <td>email1@fake.com</td>	<td>somePIC</td>	<td>Squad1</td>	<td>host1</td>	<td>192.168.1.11</td>	<td>PluginA</td>	<td>somesolutionB</td>
            </tr>
            <tr>
              <td>email2@fake.com</td>	<td>somePIC</td>	<td>Squad1</td>	<td>host2</td>	<td>192.168.1.12</td>	<td>PluginA</td>	<td>somesolution2</td>
            </tr>
            <tr>
              <td>email3@fake.com</td>	<td>somePIC2</td>	<td>SquadB</td>	<td>host1</td>	<td>192.168.1.11</td>	<td>PluginB</td>	<td>someslutionB</td>
            </tr>
          </table>
        </body>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <title>search host_name = $hostnameToken$</title>
      <html>
        <pre>
index=S score&gt;=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
| search host_name = &#36;hostnameToken&#36;
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as email values(Squad) as squad by ip
        </pre>
        <p>renders into</p>
        <pre>
index=S score&gt;=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
| search host_name = $hostnameToken$
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as email values(Squad) as squad by ip
        </pre>
        <p>Emulated output:</p>
      </html>
      <table>
        <search>
          <query>| makeresults
| eval _raw = "dummy,host_name,ip,plugin,solution,PIC,Email,Squad
,host1,192.168.1.11,PluginA,somesolutionB,somePIC,email1@fake.com,Squad1
,host2,192.168.1.12,PluginA,somesolution2,somePIC,email2@fake.com,Squad1
,host1,192.168.1.11,PluginB,someslutionB,somePIC2,email3@fake.com,SquadB"
| multikv forceheader=1
``` the above emulates
        index=S score&gt;=7.0
        | lookup A.csv IP Address as ip OUTPUTNEW Squad
        | lookup B.csv IP as ip OUTPUTNEW PIC, Email
        | lookup C.csv ip as ip OUTPUTNEW host_name
```
| search host_name="$hostnameToken$"
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as email values(Squad) as squad by ip</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel>
      <title>search host_name != $hostnameToken$</title>
      <html>
        <p>Run your second search here.  For example,</p>
        <pre>
index=S score>=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
| search host_name="&#36;hostnameToken&#36;" OR | search host_name=""
| eval hostToken="&#36;hostnameToken&#36;"
| lookup CortexHostIp2.csv host_name as hostToken OUTPUTNEW ip
| search ip=ip ``` what is the use of alway-true search? ```
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as emailvalues(Squad) as squad by ip
        </pre>
        <p>
          which renders into
        </p>
        <pre>
index=S score>=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
| search host_name="$hostnameToken$" OR | search host_name=""
| eval hostToken="$hostnameToken$"
| lookup CortexHostIp2.csv host_name as hostToken OUTPUTNEW ip
| search ip=ip ``` what is the use of alway-true search? ```
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as emailvalues(Squad) as squad by ip
        </pre>
      </html>
    </panel>
  </row>
</dashboard>

 

 

 If you query http://localhost:8000/en-US/app/search/search_based_on_token?hostnameToken=host1, the left-hand panel (IF host_name="$hostnameToken$") shows

ip
Plugin
Solution
pic
email
squad
192.168.1.11
PluginA
PluginB
someslutionB
somesolutionB
somePIC
somePIC2
email1@fake.com
email3@fake.com
Squad1
SquadB
ipPluginSolutionpicemailsquad
192.168.1.12PluginAsomesolution2somePICemail2@fake.comSquad1
 
Then, http://localhost:8000/en-US/app/search/search_based_on_token?hostnameToken=host3 has no return in the left-hand side panel.  If you want to not run the search and hide the panel when this happens, you can set and unset conditional tokens and follow Show or hide content.
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...