- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Alter query based on value of a field within the q...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I have a query that needs to change based on the value of a field witihin that query.
This is the "original" query: index=a element=value host=* ...[rest of query]
If element="example" then the original query is to be parsed, however if element="All" then the query needs to altered:
index=a element!=* host=* .... [rest of query]
Note the example!= ... how should one approach this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ho ohlafl,
No, this in not possible with Splunk native simple XML. But I assume you could use some JS to parse the user input, change the SPL according the user input and run the search then.
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I actually managed to solve this be creating a really ugly workaround:
I created a parent dashboard with two separate tables, one table for where the element operator value would be "=" and one for "!=", when a value is clicked the resulting drilldown will pass the operator as a hardcoded token depending on what table has been clicked.
The search query in the drilldown dashboard then dynamically digests the token operator as $operator$ which means that element$operator$ either equals element= or element!=.
Probably difficult to understand but for a person with the same problem this might be of some value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ho ohlafl,
No, this in not possible with Splunk native simple XML. But I assume you could use some JS to parse the user input, change the SPL according the user input and run the search then.
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, this what was I suspected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't understand your question; it would help if you expanded your example much more fully.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suspect that the queries are being chopped up a bit due to the formatting that happens with some of the characters in the query. Please use the "Code Sample" tagging on the queries, then make sure that the query characters all transfer properly to the view that comes out in the web page. I don't know if that is woodcock's problem, but it certainly is confusing my understanding of your question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not chopped up and it looks like I'm understanding the question 😉
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
