Splunk Search

Alter query based on value of a field within the query itself

ohlafl
Communicator

So I have a query that needs to change based on the value of a field witihin that query.

This is the "original" query: index=a element=value host=* ...[rest of query]

If element="example" then the original query is to be parsed, however if element="All" then the query needs to altered:

index=a element!=* host=* .... [rest of query]

Note the example!= ... how should one approach this?

1 Solution

MuS
SplunkTrust
SplunkTrust

Ho ohlafl,

No, this in not possible with Splunk native simple XML. But I assume you could use some JS to parse the user input, change the SPL according the user input and run the search then.

cheers, MuS

View solution in original post

ohlafl
Communicator

I actually managed to solve this be creating a really ugly workaround:

I created a parent dashboard with two separate tables, one table for where the element operator value would be "=" and one for "!=", when a value is clicked the resulting drilldown will pass the operator as a hardcoded token depending on what table has been clicked.

The search query in the drilldown dashboard then dynamically digests the token operator as $operator$ which means that element$operator$ either equals element= or element!=.

Probably difficult to understand but for a person with the same problem this might be of some value.

MuS
SplunkTrust
SplunkTrust

Ho ohlafl,

No, this in not possible with Splunk native simple XML. But I assume you could use some JS to parse the user input, change the SPL according the user input and run the search then.

cheers, MuS

ohlafl
Communicator

Thank you, this what was I suspected.

0 Karma

woodcock
Esteemed Legend

I don't understand your question; it would help if you expanded your example much more fully.

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

I suspect that the queries are being chopped up a bit due to the formatting that happens with some of the characters in the query. Please use the "Code Sample" tagging on the queries, then make sure that the query characters all transfer properly to the view that comes out in the web page. I don't know if that is woodcock's problem, but it certainly is confusing my understanding of your question.

0 Karma

MuS
SplunkTrust
SplunkTrust

It's not chopped up and it looks like I'm understanding the question 😉

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...