- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can you use if statements in the search query itse...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am trying to execute a search based on dropdown menu selection. If user specifies certain options, indexes or other fields change. E.g.,
index=if($index$=official,index_official,index_standard) build=if($index$=official,*,$build$) | ...
However, this does not produce a search, whereas if I search for either
index=index_official build=*
or
index=index_standard build=$build$
the query returns results.
Is it possible to use the if statement at this point in the search query? I prefer not to do a larger query and then filter later with eval commands.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=[| gentimes start=-1 | eval search=if("$index$"="official","index_official","index_standard") | table search]
build=[| gentimes start=-1 | eval search=if("$index$"="official","*","$build$") | table search]
|...rest of your search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=[| gentimes start=-1 | eval search=if("$index$"="official","index_official","index_standard") | table search]
build=[| gentimes start=-1 | eval search=if("$index$"="official","*","$build$") | table search]
|...rest of your search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This seems to do the trick - thanks.
One question: What exactly is gentimes doing here? Why doesn't the query work without it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The gentimes is just used to create a row, so that a field search can be created. You can use "|gentimes start=-1" OR "| stats count" to create a row.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
isn't the 'if statement' unnecessary if you are already using the drop down selection? Assuming your drop down selection is working, why won't this work for you?
index=$index$ build=$build$ | ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a dropdown selection driving multiple different values. For example, if official I may consider only build=100, settings=high, etc., but if I'm using nonofficial, then build=$specified_build$, settings=$specified_settings$, etc.
Another application is that I have a dropdown menu that chooses which of an array of fields will be set to *, so those fields would look like
build=if($swap_type$=build,,$build$) corner=if($swap_type$=corner,,$corner$) bin=if($swap_type$=bin,*,$bin$) | ...
here, we have specifications for each of the fields: build, corner, bin, however one of them we can select to chart against, so in that case we don't filter it (I'm displaying X over time, with the other two as filters).
I can't think of a way of doing this without if statements.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
