- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Work of OR/AND condition search query based on the...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team,
I am trying to populate a panel on the dashboard on the basis of two input fields
Profileid & Transactionid
The search query i have written for panel is
index=abc profile=$profileid$ AND transaction=$transactionid$
Now the requirement is if there is a event which exactly matches with condition like profileid=mnp and transactionid=xyz then only that event is shown in the panel. If i use OR in the search query then either of the match result is shown.
What i want is, if there is exact match available then AND condition search should run, if there is no exact match then OR condition search should run. How do i build up the logic to dynamically decide if OR/AND search query should give me the result.
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Following is a run-anywhere search that you can try out to see if it fits the need. This search performs an AND to fetch at-least one record(using head 1 so that it does not consume a lot of resources). In case it find no results then Search Filter is set to OR, otherwise it is set to AND
<search>
<query>index=_internal sourcetype="$selSourceType$" log_level="$selLogLevel$"
| head 1</query>
<earliest>-1d@d</earliest>
<latest>now</latest>
<done>
<!-- No Results found by performing AND, hence change the filter to OR -->
<condition match="$job.resultCount$==0">
<set token="filterType">OR</set>
</condition>
<!-- Result/s found by performing AND, hence retain the filter to AND -->
<condition>
<set token="filterType">AND</set>
</condition>
</done>
</search>
<fieldset submitButton="false">
<input type="dropdown" token="selSourceType" searchWhenChanged="true">
<label>Select Sourcetype</label>
<choice value="splunkd">splunkd</choice>
<choice value="splunkd_ui_access">splunkd_ui_access</choice>
<choice value="doesnotexist">doesNotExist</choice>
</input>
<input type="dropdown" token="selLogLevel" searchWhenChanged="true">
<label>Select Log Level</label>
<choice value="INFO">Info</choice>
<choice value="WARN">warn</choice>
<choice value="UNKNOWN">Unknown</choice>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Filter Type=$filterType$</title>
<search>
<query>index=_internal sourcetype="$selSourceType$" $filterType$ log_level="$selLogLevel$"
| stats count by sourcetype log_level</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
PS: log_level= INFO and WARN exist only in splunkd and not on splunkd_ui_access. You can also try out doesnotexist and UNKNOWN for unmatched scenario testing.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Following is a run-anywhere search that you can try out to see if it fits the need. This search performs an AND to fetch at-least one record(using head 1 so that it does not consume a lot of resources). In case it find no results then Search Filter is set to OR, otherwise it is set to AND
<search>
<query>index=_internal sourcetype="$selSourceType$" log_level="$selLogLevel$"
| head 1</query>
<earliest>-1d@d</earliest>
<latest>now</latest>
<done>
<!-- No Results found by performing AND, hence change the filter to OR -->
<condition match="$job.resultCount$==0">
<set token="filterType">OR</set>
</condition>
<!-- Result/s found by performing AND, hence retain the filter to AND -->
<condition>
<set token="filterType">AND</set>
</condition>
</done>
</search>
<fieldset submitButton="false">
<input type="dropdown" token="selSourceType" searchWhenChanged="true">
<label>Select Sourcetype</label>
<choice value="splunkd">splunkd</choice>
<choice value="splunkd_ui_access">splunkd_ui_access</choice>
<choice value="doesnotexist">doesNotExist</choice>
</input>
<input type="dropdown" token="selLogLevel" searchWhenChanged="true">
<label>Select Log Level</label>
<choice value="INFO">Info</choice>
<choice value="WARN">warn</choice>
<choice value="UNKNOWN">Unknown</choice>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Filter Type=$filterType$</title>
<search>
<query>index=_internal sourcetype="$selSourceType$" $filterType$ log_level="$selLogLevel$"
| stats count by sourcetype log_level</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
PS: log_level= INFO and WARN exist only in splunkd and not on splunkd_ui_access. You can also try out doesnotexist and UNKNOWN for unmatched scenario testing.
| makeresults | eval message= "Happy Splunking!!!"
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
