All Apps and Add-ons

Advanced XML If/then logic

tmurray3
Path Finder

Is there a way to check the results of a saved search and then apply some if / then logic in advanced xml?

For example, if the saved search returns a range value ($results[0].range$) of X then display the message "Missing Data". Otherwise display "Status is Normal"

Here is some example of what I would like to do...not sure if it is possible...

    <module name="HiddenSavedSearch" layoutPanel="panel_row3_col2" autoRun="True">
        <param name="savedSearch">AF-Search-Datacenter-Health-VA</param>

      <module name="HTML" >
        <param name="html">
          <![CDATA[

   ---insert some if then logic here:

    if ($results[0].range$ == "1) 

      <div class="dataCenterHealth-missing-data">
      Health Status is  Missing data</div>

   else {
      <div class="dataCenterHealth-normal">
      Health Status is Normal</div>
  }
  ]]>
</param>
  </module>
0 Karma

sideview
SplunkTrust
SplunkTrust

Well there are two ways. The first is probably the simplest, and the idea is to do the switching in the search language.

1) Here we make two fields on the fly using a PostProcess module - message and className, and then display the appropriate message, with the appropriate classname right in the HTML module.

<module name="HiddenSavedSearch" layoutPanel="panel_row3_col2" autoRun="True">
  <param name="savedSearch">AF-Search-Datacenter-Health-VA</param>

  <module name="PostProcess">
    <param name="search">eval message=if(range=="1","Health Status is  Missing data","Health Status is Normal") | eval className=if(range=="1","missing-data","normal"</param>

    <module name="HTML" >
      <param name="html"><![CDATA[

        <div class="dataCenterHealth-$className$">
          $results[0].message$
        </div>

      ]]></param>
    </module>
  </module>
</module>

2) The other way is to use PostProcess with a little eval to make a field called isMissingData that will have one of two values - lets say "true" and "false" are our two values. Then to use a ResultsValueSetter module downstream from the PostProcess to pull that field value from the search results down so that it's available as a simple $isMissingData$ token in the XML. Then downstream from the ResultsValueSetter to use a Switcher module tha tlistens for that $isMissingData$ key and basically forks between two different HTML modules. You'd have one HTML module downstream from the Switcher with group="true" and the other HTML module downstream from the Switcher with group="false". The advantage of the Switcher way is that you can have arbitrarily different module config in each of the Switcher branches. here, since the only difference is a small difference in HTML, it's almost certainly overkill.

Doing things with PostProcess and ResultsValueSetter and Switcher feels really weird the first few times you do it, but you can do a weirdly large range of things with it once you get the hang of it.

All in all though I think your use case is simple enough where the first way is easier and that's what I recommend (the posted XML above) - using a little eval and just using the HTML module's internal $results[0].fieldName syntax.

0 Karma

RicoSuave
Builder

Hello, It appears to me that you might have to modify the underlying search that is being used. You might be over complicating things in your code. You'll want to use a combination of rangemap to group results together, then some eval "if" magic. Try something similar to this.

<your search that fetches whatever the value that reports on datacenterhealth> | rangemap field=<yourinterestingfield> normal=1-100 bad=0 | eval datacenterhealthstatus=if(range="normal", "OK", "NOTOK") | stats last(datacenterhealthstatus) as datacenterhealth

You could then use this result and display it in the html module. I run very similar searches in my environment to report on the status of various network elements.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...