- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Condition Function for | seach based on Token
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Case Scenario:
Dashboard A is clicked, thus sending a token whose value is hostname ($hostnameToken$) to Dashboard B.
Dashboard B with the following query has received $hostnameToken$ , then used on | search host_name , when search | search query returns “Results not Found”.
index=S score>=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
IF (true)
| search host_name="$hostnameToken$"
THEN DO THIS:
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as email
values(Squad) as squad by ip
ELSE (false)
| eval hostToken="$hostnameToken$"
| lookup CortexHostIp2.csv host_name as hostToken OUTPUTNEW ip
| search ip=ip
THEN DO THIS:
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email)
as email values(Squad) as squad by ip
The next search is carried out by converting the hostname token value to IP via eval and lookup. If both ELSE conditions are not met (value is False), then the search stops.
Question:
How to implement conditional statements into the above query? What is the right query to use?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But changing Simple XML is perhaps the least complex solution, if there is an alternative one. In fact, after reexamine your description, dashboard B probably does not need conditional token setting. Instead, you need to separate panels to handle the two conditions, because your base search, i.e.,
index=S score>=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
generally returns some events matching host_name="$hostnameToken$", some not. (If this is not true, you can go back to setting dynamic panels.) You need two panels in order to show all conditions.
Consider this emulated dashboard:
<dashboard>
<label>Search based on token</label>
<description>https://community.splunk.com/t5/Splunk-Search/Condition-Function-for-seach-based-on-Token/</description>
<init>
<!-- set token="hostnameToken">host1</set -->
</init>
<row>
<panel>
<title>hostnameToken=$hostnameToken$</title>
<html>
<head>
<style>
table, th, td {
border: 1px solid black;
}
</style>
</head>
<body>
<p>Base search
<pre>
index=S score>=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
</pre>
</p>
<p>
Emulated output from (no filter)
</p>
<table>
<tr>
<th>Email</th> <th>PIC</th> <th>Squad</th> <th>host_name</th> <th>ip</th> <th>plugin</th> <th>solution</th>
</tr>
<tr>
<td>email1@fake.com</td> <td>somePIC</td> <td>Squad1</td> <td>host1</td> <td>192.168.1.11</td> <td>PluginA</td> <td>somesolutionB</td>
</tr>
<tr>
<td>email2@fake.com</td> <td>somePIC</td> <td>Squad1</td> <td>host2</td> <td>192.168.1.12</td> <td>PluginA</td> <td>somesolution2</td>
</tr>
<tr>
<td>email3@fake.com</td> <td>somePIC2</td> <td>SquadB</td> <td>host1</td> <td>192.168.1.11</td> <td>PluginB</td> <td>someslutionB</td>
</tr>
</table>
</body>
</html>
</panel>
</row>
<row>
<panel>
<title>search host_name = $hostnameToken$</title>
<html>
<pre>
index=S score>=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
| search host_name = $hostnameToken$
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as email values(Squad) as squad by ip
</pre>
<p>renders into</p>
<pre>
index=S score>=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
| search host_name = $hostnameToken$
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as email values(Squad) as squad by ip
</pre>
<p>Emulated output:</p>
</html>
<table>
<search>
<query>| makeresults
| eval _raw = "dummy,host_name,ip,plugin,solution,PIC,Email,Squad
,host1,192.168.1.11,PluginA,somesolutionB,somePIC,email1@fake.com,Squad1
,host2,192.168.1.12,PluginA,somesolution2,somePIC,email2@fake.com,Squad1
,host1,192.168.1.11,PluginB,someslutionB,somePIC2,email3@fake.com,SquadB"
| multikv forceheader=1
``` the above emulates
index=S score>=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
```
| search host_name="$hostnameToken$"
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as email values(Squad) as squad by ip</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
<panel>
<title>search host_name != $hostnameToken$</title>
<html>
<p>Run your second search here. For example,</p>
<pre>
index=S score>=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
| search host_name="$hostnameToken$" OR | search host_name=""
| eval hostToken="$hostnameToken$"
| lookup CortexHostIp2.csv host_name as hostToken OUTPUTNEW ip
| search ip=ip ``` what is the use of alway-true search? ```
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as emailvalues(Squad) as squad by ip
</pre>
<p>
which renders into
</p>
<pre>
index=S score>=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
| search host_name="$hostnameToken$" OR | search host_name=""
| eval hostToken="$hostnameToken$"
| lookup CortexHostIp2.csv host_name as hostToken OUTPUTNEW ip
| search ip=ip ``` what is the use of alway-true search? ```
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as emailvalues(Squad) as squad by ip
</pre>
</html>
</panel>
</row>
</dashboard>
If you query http://localhost:8000/en-US/app/search/search_based_on_token?hostnameToken=host1, the left-hand panel (IF host_name="$hostnameToken$") shows
| ip | Plugin | Solution | pic | email | squad |
| 192.168.1.11 | PluginA PluginB | someslutionB somesolutionB | somePIC somePIC2 | email1@fake.com email3@fake.com | Squad1 SquadB |
| ip | Plugin | Solution | pic | squad | |
| 192.168.1.12 | PluginA | somesolution2 | somePIC | email2@fake.com | Squad1 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=S score>=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
| search host_name="$hostnameToken$" OR | search host_name=""
| eval hostToken="$hostnameToken$"
| lookup CortexHostIp2.csv host_name as hostToken OUTPUTNEW ip
| search ip=ip
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as emailvalues(Squad) as squad by ip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this query isnt work, need any input from user in splunk community.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to implement | eval to query on the above, or any condition query?
https://community.splunk.com/t5/Splunk-Search/If-else-conditional-statements-for-search/m-p/104919#M...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, Simple XML has a <condition /> element, see condition (form input) and condition (drilldown), as well as change (form input). But <condition /> can also be used inside <search /> directly, which is what you want to use. The idea is to set visual elements based on that token's initial value.
Here is a dummy dashboard to play with.
<form>
<label>Set token on load</label>
<!-- init>
<set token="master_token">Data Entry</set>
</init -->
<fieldset submitButton="false">
<input type="dropdown" token="master_token" searchWhenChanged="true">
<label>master token</label>
<choice value="Data Entry">Data entry</choice>
<choice value="Click Only">Click only</choice>
<choice value="Attachment">Attachment</choice>
<default>Data Entry</default>
</input>
</fieldset>
<search>
<query>
| makeresults
| fields - _time
| eval master_token="$master_token$"
</query>
<progress>
<condition match="master_token=="Data Entry"">
<set token="data_entry">True</set>
<unset token="attachment"></unset>
<unset token="click_only"></unset>
</condition>
<condition match="master_token=="Click Only"">
<set token="click_only">True</set>
<unset token="data_entry"></unset>
<unset token="attachment"></unset>
</condition>
<condition match="master_token=="Attachment"">
<set token="attachment">True</set>
<unset token="click_only"></unset>
<unset token="data_entry"></unset>
</condition>
</progress>
</search>
<row>
<panel>
<html>
<div>master_token: $master_token$</div>
<div>data_entry: $data_entry$</div>
<div>click_only: $click_only$</div>
<div>attachment: $attachment$</div>
</html>
</panel>
</row>
</form>Once you set this up, you can play with it by supplying master_token in the URL, e.g., http://localhost:8000/en-US/app/search/set_token_on_load?master_token=Data%20Entry
Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for responding this my post bro,
but what i mean is a fundamental change in query level, for its logic, without changing the XML.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But changing Simple XML is perhaps the least complex solution, if there is an alternative one. In fact, after reexamine your description, dashboard B probably does not need conditional token setting. Instead, you need to separate panels to handle the two conditions, because your base search, i.e.,
index=S score>=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
generally returns some events matching host_name="$hostnameToken$", some not. (If this is not true, you can go back to setting dynamic panels.) You need two panels in order to show all conditions.
Consider this emulated dashboard:
<dashboard>
<label>Search based on token</label>
<description>https://community.splunk.com/t5/Splunk-Search/Condition-Function-for-seach-based-on-Token/</description>
<init>
<!-- set token="hostnameToken">host1</set -->
</init>
<row>
<panel>
<title>hostnameToken=$hostnameToken$</title>
<html>
<head>
<style>
table, th, td {
border: 1px solid black;
}
</style>
</head>
<body>
<p>Base search
<pre>
index=S score>=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
</pre>
</p>
<p>
Emulated output from (no filter)
</p>
<table>
<tr>
<th>Email</th> <th>PIC</th> <th>Squad</th> <th>host_name</th> <th>ip</th> <th>plugin</th> <th>solution</th>
</tr>
<tr>
<td>email1@fake.com</td> <td>somePIC</td> <td>Squad1</td> <td>host1</td> <td>192.168.1.11</td> <td>PluginA</td> <td>somesolutionB</td>
</tr>
<tr>
<td>email2@fake.com</td> <td>somePIC</td> <td>Squad1</td> <td>host2</td> <td>192.168.1.12</td> <td>PluginA</td> <td>somesolution2</td>
</tr>
<tr>
<td>email3@fake.com</td> <td>somePIC2</td> <td>SquadB</td> <td>host1</td> <td>192.168.1.11</td> <td>PluginB</td> <td>someslutionB</td>
</tr>
</table>
</body>
</html>
</panel>
</row>
<row>
<panel>
<title>search host_name = $hostnameToken$</title>
<html>
<pre>
index=S score>=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
| search host_name = $hostnameToken$
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as email values(Squad) as squad by ip
</pre>
<p>renders into</p>
<pre>
index=S score>=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
| search host_name = $hostnameToken$
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as email values(Squad) as squad by ip
</pre>
<p>Emulated output:</p>
</html>
<table>
<search>
<query>| makeresults
| eval _raw = "dummy,host_name,ip,plugin,solution,PIC,Email,Squad
,host1,192.168.1.11,PluginA,somesolutionB,somePIC,email1@fake.com,Squad1
,host2,192.168.1.12,PluginA,somesolution2,somePIC,email2@fake.com,Squad1
,host1,192.168.1.11,PluginB,someslutionB,somePIC2,email3@fake.com,SquadB"
| multikv forceheader=1
``` the above emulates
index=S score>=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
```
| search host_name="$hostnameToken$"
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as email values(Squad) as squad by ip</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
<panel>
<title>search host_name != $hostnameToken$</title>
<html>
<p>Run your second search here. For example,</p>
<pre>
index=S score>=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
| search host_name="$hostnameToken$" OR | search host_name=""
| eval hostToken="$hostnameToken$"
| lookup CortexHostIp2.csv host_name as hostToken OUTPUTNEW ip
| search ip=ip ``` what is the use of alway-true search? ```
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as emailvalues(Squad) as squad by ip
</pre>
<p>
which renders into
</p>
<pre>
index=S score>=7.0
| lookup A.csv IP Address as ip OUTPUTNEW Squad
| lookup B.csv IP as ip OUTPUTNEW PIC, Email
| lookup C.csv ip as ip OUTPUTNEW host_name
| search host_name="$hostnameToken$" OR | search host_name=""
| eval hostToken="$hostnameToken$"
| lookup CortexHostIp2.csv host_name as hostToken OUTPUTNEW ip
| search ip=ip ``` what is the use of alway-true search? ```
| stats values(plugin) as Plugin values(solution) as Solution values(PIC) as pic values(Email) as emailvalues(Squad) as squad by ip
</pre>
</html>
</panel>
</row>
</dashboard>
If you query http://localhost:8000/en-US/app/search/search_based_on_token?hostnameToken=host1, the left-hand panel (IF host_name="$hostnameToken$") shows
| ip | Plugin | Solution | pic | email | squad |
| 192.168.1.11 | PluginA PluginB | someslutionB somesolutionB | somePIC somePIC2 | email1@fake.com email3@fake.com | Squad1 SquadB |
| ip | Plugin | Solution | pic | squad | |
| 192.168.1.12 | PluginA | somesolution2 | somePIC | email2@fake.com | Squad1 |
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
