Splunk Search

Work of OR/AND condition search query based on the match & should give the result.

rakshithreddy
Explorer

Hi Team,

I am trying to populate a panel on the dashboard on the basis of two input fields

Profileid & Transactionid

The search query i have written for panel is

index=abc profile=$profileid$ AND transaction=$transactionid$

Now the requirement is if there is a event which exactly matches with condition like profileid=mnp and transactionid=xyz then only that event is shown in the panel. If i use OR in the search query then either of the match result is shown.

What i want is, if there is exact match available then AND condition search should run, if there is no exact match then OR condition search should run. How do i build up the logic to dynamically decide if OR/AND search query should give me the result.

Thank you

Tags (1)
0 Karma
1 Solution

niketn
Legend

Following is a run-anywhere search that you can try out to see if it fits the need. This search performs an AND to fetch at-least one record(using head 1 so that it does not consume a lot of resources). In case it find no results then Search Filter is set to OR, otherwise it is set to AND

  <search>
    <query>index=_internal sourcetype="$selSourceType$" log_level="$selLogLevel$"
| head 1</query>
    <earliest>-1d@d</earliest>
    <latest>now</latest>
    <done>
      <!-- No Results found by performing AND, hence change the filter to OR -->
      <condition match="$job.resultCount$==0">
        <set token="filterType">OR</set>
      </condition>
     <!-- Result/s found by performing AND, hence retain the filter to AND -->
      <condition>
        <set token="filterType">AND</set>
      </condition>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="selSourceType" searchWhenChanged="true">
      <label>Select Sourcetype</label>
      <choice value="splunkd">splunkd</choice>
      <choice value="splunkd_ui_access">splunkd_ui_access</choice>
      <choice value="doesnotexist">doesNotExist</choice>
    </input>
    <input type="dropdown" token="selLogLevel" searchWhenChanged="true">
      <label>Select Log Level</label>
      <choice value="INFO">Info</choice>
      <choice value="WARN">warn</choice>
      <choice value="UNKNOWN">Unknown</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Filter Type=$filterType$</title>
        <search>
          <query>index=_internal sourcetype="$selSourceType$" $filterType$ log_level="$selLogLevel$"
| stats count by sourcetype log_level</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>

PS: log_level= INFO and WARN exist only in splunkd and not on splunkd_ui_access. You can also try out doesnotexist and UNKNOWN for unmatched scenario testing.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

Following is a run-anywhere search that you can try out to see if it fits the need. This search performs an AND to fetch at-least one record(using head 1 so that it does not consume a lot of resources). In case it find no results then Search Filter is set to OR, otherwise it is set to AND

  <search>
    <query>index=_internal sourcetype="$selSourceType$" log_level="$selLogLevel$"
| head 1</query>
    <earliest>-1d@d</earliest>
    <latest>now</latest>
    <done>
      <!-- No Results found by performing AND, hence change the filter to OR -->
      <condition match="$job.resultCount$==0">
        <set token="filterType">OR</set>
      </condition>
     <!-- Result/s found by performing AND, hence retain the filter to AND -->
      <condition>
        <set token="filterType">AND</set>
      </condition>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="selSourceType" searchWhenChanged="true">
      <label>Select Sourcetype</label>
      <choice value="splunkd">splunkd</choice>
      <choice value="splunkd_ui_access">splunkd_ui_access</choice>
      <choice value="doesnotexist">doesNotExist</choice>
    </input>
    <input type="dropdown" token="selLogLevel" searchWhenChanged="true">
      <label>Select Log Level</label>
      <choice value="INFO">Info</choice>
      <choice value="WARN">warn</choice>
      <choice value="UNKNOWN">Unknown</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Filter Type=$filterType$</title>
        <search>
          <query>index=_internal sourcetype="$selSourceType$" $filterType$ log_level="$selLogLevel$"
| stats count by sourcetype log_level</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>

PS: log_level= INFO and WARN exist only in splunkd and not on splunkd_ui_access. You can also try out doesnotexist and UNKNOWN for unmatched scenario testing.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...