Can you do conditionals in searches where the acti...

j4adam · ‎08-24-2016

I did a lot of reading last night about eval ifs and read several posts that danced around the edge of being relevant enough to help me.

My situation is this:

I have a dashboard that has a table that's fueled by ~4 search tokens and I wanted to add a check box that would add another column to the table if checked. The original plan was to do (psuedo code):

if (checkbox is checked) append another field to my table command in the search. Else leave as it is.

So far I've been unable to find out if this is possible. I've read a lot of posts about people hiding panels by editing the XML. I'd like a more elegant solution than simply having two separate panels and inverting their visibility with the check box.

sundareshr · ‎08-25-2016

Try this run anywhere sample. You should be able to copy this, paste it in to your search window and see the results

index=_internal | table [| makeresults | eval search="_time sourcetype"." source" | table search]

sundareshr · ‎08-24-2016

See if this works

your base search | table [| makeresults | eval search="field1 field2".$fieldnamefromcheckbox$ | table search]

j4adam · ‎08-25-2016

That didn't work, but maybe I did it wrong.

Can you do conditionals in searches where the action is to add/change the search string?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms