Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

if count of rows equal to 3 show only head 1 else show all rows

surekhasplunk
Communicator
‎12-05-2017 04:13 AM

How to write a simple query at the end of my search query to populate table of my dashboard saying :
If count of rows = 3 then head 1 -show only 1st line
If count of rows >3 then may be head 10 or show all rows

Thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MonkeyK
Builder
‎12-05-2017 04:38 AM

you can use eventstats and streamstat to make this happen:

your base search | eventstats count  as totalCount| streamstats count as line_no | eval showlines=case(totalCount>3,10, 1=1, 1) | where line_no<=showlines

replace 10 with the number of lines that you want to see for >3

View solution in original post

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎12-05-2017 06:07 AM

@surekhasplunk, you can try following run anywhere search

Step 1) I have a Text box for your to mock the number of results. If not numeric or empty, it will defaults to 10.

Step 2) I have used the following dummy base search (post-processing to apply head command in subsequent search) to create N-rows as per value selected in text box. You can put your current search here. PS: $tokRows$ defaults to 10.

    | makeresults
    | eval data=$tokRows$
    | eval data=mvrange(0,data)
    | mvexpand data

Step 3) Add <done> search event handler to set the filter token number for head command based on default search event handler token $job.resultCount$. PS: I have added additional condition for values between 3 to 10 it will show those many results. Only if greater than 10 it will show 10 results.

    <done>
      <condition match="$job.resultCount$<=3">
        <set token="tokFilter">1</set>
      </condition>
      <condition match="$job.resultCount$>3 AND $job.resultCount$<=10 ">
        <set token="tokFilter">$job.resultCount$</set>
      </condition>
      <condition>
        <set token="tokFilter">10</set>
      </condition>
    </done>

Following is the complete run anywhere dashboard.

<form>
  <label>Filter results based on search result count</label>
  <fieldset submitButton="false">
    <input type="text" token="Rows" searchWhenChanged="true">
      <label>Number of Row to create</label>
      <default>10</default>
      <change>
          <eval token="tokRows">if(match(value, &quot;^[0-9]+$&quot;),$value$, 10)</eval>
      </change>
    </input>
  </fieldset>
  <search id="baseSearch">
    <query>| makeresults
| eval data=$tokRows$
| eval data=mvrange(0,data)
| mvexpand data</query>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
    <done>
      <condition match="$job.resultCount$<=3">
        <set token="tokFilter">1</set>
      </condition>
      <condition match="$job.resultCount$>3 AND $job.resultCount$<=10 ">
        <set token="tokFilter">$job.resultCount$</set>
      </condition>
      <condition>
        <set token="tokFilter">10</set>
      </condition>
    </done>
  </search>
  <row>
    <panel>
      <title>Results- $tokRows$  - Filtered- $tokFilter$</title>
      <table>
        <search base="baseSearch">
          <query>
            | head $tokFilter$
          </query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

MonkeyK
Builder
‎12-05-2017 04:38 AM

you can use eventstats and streamstat to make this happen:

your base search | eventstats count  as totalCount| streamstats count as line_no | eval showlines=case(totalCount>3,10, 1=1, 1) | where line_no<=showlines

replace 10 with the number of lines that you want to see for >3

0 Karma
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎12-05-2017 05:36 AM

Thanks a lot @MonkeyK it worked !!!

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...