Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

conditional if search based on token value

drultima
New Member
‎04-10-2015 09:31 AM

I have a token input at the top of the dashboard. values are dropdown 1 or 2.

search needs to be this logic: if the token is 1, then host value is these four servers, if token is 2, then host value is these other four servers

I have tried this: if(token==1,host==server1 OR host==server2 OR host==server3 OR host==server4,host==server5 OR host==server6 OR host==server7 OR host==server8)

my thinking was if(trigger,value,else). the problem is I get EVERY server in my index when I do this. What am I doing wrong?

0 Karma
Reply

cphair
Builder
‎08-27-2015 10:10 AM

Your if-statement isn't searching over anything or assigning anything anywhere; it's just making a calculation in thin air. If you really only have two input choices and four servers for each, you could hardcode them into the search:

... | where ($token$="1" AND (host=a OR host=b OR host=c OR host=d)) OR ($token$="2" AND (host=e OR host=f OR host=g OR host=h))

Another alternative is to code the server list into your token value, if you don't actually need that value for anything else and it's just there as a placeholder:
<choice value="host=a OR host=b OR host=c OR host=d">1</choice>
<choice value="host=e OR host=f OR host=g OR host=h">2</choice>
Then you could use the token directly in your base search, which is more efficient:

index=foo $token$ ...

0 Karma
Reply

drultima
New Member
‎04-10-2015 12:00 PM

I will add some source code, so y'all have an idea of what I mean. This works fine:

<form>
  <label>WinOps - New Web Status</label>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" searchWhenChanged="true">
      <label>Select a time:</label>
      <default>Last 15 minutes</default>
    </input>
    <input type="dropdown" token="Cluster" searchWhenChanged="true">
      <choice value="1">Cluster1</choice>
      <choice value="2">Cluster2</choice>
      <default>1</default>
    </input>
    <input type="dropdown" token="Region">
      <choice value="N">North America</choice>
      <choice value="S">South America</choice>
      <default>P</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <title>% CPU Usage</title>
        <search>
          <query>host=DM$Region$DCLU0$Cluster$WEB* index=perfmon source="perfmon:cpu" | eval CPUValue=if(instance=="_Total" AND counter=="% Processor Time", Value, NULL) | eval RndCPUValue = round(CPUValue, 0) | timechart avg(CPUValue) by host</query>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.maximumNumber">100</option>
        <option name="charting.axisY.minimumNumber">0</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.axisTitleX.text">Date/Time</option>
      </chart>
    </panel>

My issue is that I have 8 more web servers in two old clusters which don't follow that same naming pattern. They are:
DM$Region$DCLUWEB* (aggregating 01-08). 01-04 are 1 cluster and 05-08 are a second cluster. I want to mimic the working new query's dashboard with the old clusters. I tried to go in and add tags, but I don't seem to have the permission to do that. As an alternate, could I do a lookup and just upload a csv with the 8 servers and their corresponding cluster?

0 Karma
Reply

drultima
New Member
‎04-10-2015 11:19 AM

somesoni2,

Probably because I am brand new to Splunk and not a programmer by nature, I don't understand how that helps. I don't see how I can use that to delineate a list of servers for each $sourcetype$ as exampled above.

0 Karma
Reply

lguinn2
Legend
‎04-10-2015 11:45 AM

You didn't mention $sourcetype$ at all in your question... you've lost me.

0 Karma
Reply

drultima
New Member
‎04-10-2015 11:51 AM

I was going off of what you had posted as an example.... I will post something more specific shortly.

0 Karma
Reply

lguinn2
Legend
‎04-10-2015 11:14 AM

First, your if statement syntax is wrong; I don't think that will work in a search. Second, since the token is a field input, it is a substitution variable and must be enclosed in $.

I have several suggestions/alternatives:

  • Create tags for the hosts. Tag server1,server2,server3 and server4 with one tag; tag the other servers with a different tag. Now, when you set up the dropdown, instead of 1 and 2, set the dropdown values to the names of the tags. Your search will then be

    tag=$token$

  • In the dropdown, you set both a name that will appear in the menu to the user, and the value that will be assigned to the token. You could set the values (unseen by the user) to "host=server1 OR host=server2 OR host=server3 OR host=server4" and "host=server5 OR host=server6 OR host=server7 OR host=server8". Your search would then be

    $token$
    I like the first alternative best, because I think it is easier to manage the tags. But either should work.

Based on comments, here is an update that shows exactly how the second alternative would work in a dashboard/form:

<form>
   <label>Your Dashboard  Name</label>
   <fieldset submitButton="false">
     <input type="dropdown" token="myToken" searchWhenChanged="true">
       <label>Your prompts</label>
       <choice value="host=server1 OR host=server2 OR host=server3 OR host=server4">1</choice>
       <choice value="host=server5 OR host=server6 OR host=server7 OR host=server8">2</choice>
     </input>
   </fieldset>
 <row>
    <panel>
      <event>
        <title>Host Count</title>
        <searchString>
          $myToken$
        </searchString>
      </event>
    </panel>
  </row>
</form>
Reply

drultima
New Member
‎04-10-2015 11:52 AM

lguinn, I don't see where I can add tags. I may not have enough permission.

0 Karma
Reply

somesoni2
Revered Legend
‎04-10-2015 11:13 AM

This is a sample dashboard with similar requirement. Adjust this to suite your requirement (this can be run on any Splunk 6.X instance)

<form>
  <label>Select  sourcetype by token</label>
  <description/>
  <fieldset submitButton="false">
    <input type="dropdown" token="sourcetype" searchWhenChanged="true">
      <label>Select Sourcetype</label>
      <choice value="splunkd,splunkd_access">1</choice>
      <choice value="splunk_web_access,splunk_web_service">2</choice>
      <default>splunkd,splunkd_access</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Showing count by sourcetypes-$sourcetype$</title>
        <searchString>index=_internal [|gentimes start=-1 | eval sourcetype="$sourcetype$" | table sourcetype | makemv sourcetype delim="," | mvexpand sourcetype ]| stats count by sourcetype</searchString>
        <earliestTime>-4h@m</earliestTime>
        <latestTime>now</latestTime>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...