Splunk Dev

Custom Logic of (AND) or (OR) Based on the input.

rakshithreddy
Explorer

Hi All

I am using custom logic in dashboard XML so that Splunk can choose the filter ( AND , OR ) based on the input given.

Here is my dashboard XML which was working fine or giving the right events in these scenarios:
Only value of Transaction Id given with Anonymous Account Id left blank. ( splunk going for OR filter )
Only value of Anonymous Account Id given with Transcation Id left Balnk. ( splunk going for OR filter )
Both Transaction Id and Anonymous Account Id given with having both those values existing in the events. ( splunk going for AND filter )

Not working in these scenarios:
Both Transaction Id and Anonymous Account Id given with not having both those values in the events. ( splunk going for OR filter )

So, In the above not working scenario the Splunk is going for ( OR ) filter which should be an ( AND ) filter.

Thank you in Advance.

 <form>
          <label>Test</label>
          <fieldset submitButton="true" autoRun="true">
            <input type="text" token="transactionid" searchWhenChanged="true">
              <label>Transaction Id</label>
              <default></default>
            </input>
            <input type="text" token="anonymousaccountid" searchWhenChanged="true">
              <label>Anonymous Account Id</label>
              <default></default>
            </input>
            <input type="time" token="time">
              <label>Monitoring Time</label>
              <default>
                <earliest>-15m</earliest>
                <latest>now</latest>
              </default>
            </input>
          </fieldset>
            <search>
            <query>index=kubernetesservices splunk_server_group=aws_w transactionId="$transactionid$" AnonymousAccountId="$anonymousaccountid$" 
         | head 1</query>
            <earliest>$time.earliest$</earliest>
            <latest>$time.latest$</latest>
            <done>
              <!-- No Results found by performing AND, hence change the filter to OR -->
              <condition match="$job.resultCount$==0">
                <set token="filterType">OR</set>
              </condition>
              <!-- Result/s found by performing AND, hence retain the filter to AND -->
              <condition>
                <set token="filterType">AND</set>
              </condition>
            </done>
          </search>
          <row>
            <panel>
              <single>
                <title>Total Event Count for Given Transaction Id / Anonymous Account Id</title>
                <search>
                  <query>index=kubernetesservices splunk_server_group=aws_w transactionId="$transactionid$" $filterType$ AnonymousAccountId="$anonymousaccountid$" | stats count as Idcount </query>
                  <earliest>$time.earliest$</earliest>
                  <latest>$time.latest$</latest>
                </search>
              </single>
            </panel>
          </row>
          <row>
            <panel>
              <event>
                <title>Detailed Events for Given Transaction Id / Anonymous Account Id</title>
                <search>
                  <query>index=kubernetesservices splunk_server_group=aws_w transactionId="$transactionid$" $filterType$ AnonymousAccountId="$anonymousaccountid$" </query>
                  <earliest>$time.earliest$</earliest>
                  <latest>$time.latest$</latest>
                </search>
              </event>
            </panel>
          </row>
        </form>
Tags (1)
0 Karma
1 Solution

niketn
Legend

@rakshithreddy, based on what you have asked. In case both filters $transactionid$ and $anonymousaccountid$ are provided and still do not return any results, the filter will remain as AND through the following logic. However,a detailed description of your use cases might be required so that you don't run into similar "pitfalls" (or NFRs in your case):

   <done>
   <!-- No Results found by performing AND, hence change the filter to AND if both inputs have been provided else set it to OR -->
   <condition match="$job.resultCount$==0">
     <eval token="filterType">case(len($transactionid$)>0 AND len($anonymousaccountid$)>0,"AND",true(),"OR")</eval>
   </condition>
   <!-- Result/s found by performing AND, hence retain the filter to AND -->
   <condition>
     <set token="filterType">AND</set>
   </condition>
 </done>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@rakshithreddy, based on what you have asked. In case both filters $transactionid$ and $anonymousaccountid$ are provided and still do not return any results, the filter will remain as AND through the following logic. However,a detailed description of your use cases might be required so that you don't run into similar "pitfalls" (or NFRs in your case):

   <done>
   <!-- No Results found by performing AND, hence change the filter to AND if both inputs have been provided else set it to OR -->
   <condition match="$job.resultCount$==0">
     <eval token="filterType">case(len($transactionid$)>0 AND len($anonymousaccountid$)>0,"AND",true(),"OR")</eval>
   </condition>
   <!-- Result/s found by performing AND, hence retain the filter to AND -->
   <condition>
     <set token="filterType">AND</set>
   </condition>
 </done>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@rakshithreddy, can you please explain as to why you need AND and not OR when both values are present but return no results?

AND will anyways give no results based on which OR is set. I believe that was your original requirement as well, that you need to perform OR when AND returns no results.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

gjanders
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...