Solved: how to add dynamic conditions in a query?

flzhang132 · ‎08-24-2018

I want to add dynamic conditions.

When June 2018, the query condition was " |search searchDate = 201806 createDate !=“2018/07" "to return n data.

When July 2018, the query condition was " |search createDate =“2018/07" " to return 2n data.

It is important to complete in a query.

for example

If now()==201806
| search searchDate = 201806 createDate !=“2018/07"
If now() == 201807
| search createDate =“2018/07"

Thanks very much

niketn · ‎08-26-2018

@flzhang132 your question is not clear please add more sample data and your expected output based on the same. If you requirement is really to decide the logic for 201806 and 201807 based on current time i.e. now(), then it will never set either one of your required search filters.

Now if have an input which set time to June 2018 or July 2018 (i.e. Time Picker or Text Box or dropdown or something else) then you would need to provide existing Simple XML code. You can set the Search filter token based on input change. Then use the token in your SPL later.

Following is run anywhere example which does something similar for Text Box input.

<form>
  <label>Search query based on Selected Time</label>
  <fieldset submitButton="false">
    <input type="text" token="tokTime" searchWhenChanged="true">
      <label>Provide Time</label>
      <default>201806</default>
      <change>
        <!-- Set search filter as per the Text value i.e. 201806 and 201807. Do not set the token otherwise (i.e. no default true() condition in place)-->
        <eval token="tokSearchFilter">case($value$=="201806","search searchDate=\"201806\" createDate!=\"2018/07\"",$value$=="201807","search createDate=\"2018/07\"")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>tokSearchFilter: $tokSearchFilter$</title>
    </panel>
  </row>
</form>

PS: If this is not what you want, then please provide more details in form of sample data, existing query, current output and expected output.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎08-26-2018

@flzhang132 your question is not clear please add more sample data and your expected output based on the same. If you requirement is really to decide the logic for 201806 and 201807 based on current time i.e. now(), then it will never set either one of your required search filters.

Now if have an input which set time to June 2018 or July 2018 (i.e. Time Picker or Text Box or dropdown or something else) then you would need to provide existing Simple XML code. You can set the Search filter token based on input change. Then use the token in your SPL later.

Following is run anywhere example which does something similar for Text Box input.

<form>
  <label>Search query based on Selected Time</label>
  <fieldset submitButton="false">
    <input type="text" token="tokTime" searchWhenChanged="true">
      <label>Provide Time</label>
      <default>201806</default>
      <change>
        <!-- Set search filter as per the Text value i.e. 201806 and 201807. Do not set the token otherwise (i.e. no default true() condition in place)-->
        <eval token="tokSearchFilter">case($value$=="201806","search searchDate=\"201806\" createDate!=\"2018/07\"",$value$=="201807","search createDate=\"2018/07\"")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>tokSearchFilter: $tokSearchFilter$</title>
    </panel>
  </row>
</form>

PS: If this is not what you want, then please provide more details in form of sample data, existing query, current output and expected output.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

flzhang132 · ‎08-26-2018

thanks, this is what I want

mstjohn_splunk · ‎08-24-2018

Also @flzhang132, I stumbled upon this in Splunk Answers: https://answers.splunk.com/answers/639738/dynamic-conditions-composition-into-a-search-uses.html

Not sure if it's related to your issue, but I thought I'd pass it on 🙂

mstjohn_splunk · ‎08-24-2018

Hi @flzhang132 - Were you able to test out @kamlesh_vaghela ’s solution? Did it work? If yes, please don't forget to resolve this post by clicking on "Accept". If you still need more help, please provide a comment with some feedback. Thanks!

flzhang132 · ‎08-26-2018

but when condition 1, only calls (strftime(now(),"%Y%m")=="201806" AND searchDate="201806" AND createDate!="2018/07" )
when condition 2,only calls (strftime(now(),"%Y%m")=="201807" AND createDate="2018/07")

Under different conditions, these two predicate conditions can only execute one, can they?

flzhang132 · ‎08-26-2018

thanks very much!

kamlesh_vaghela · ‎08-24-2018

@flzhang132

Can you please try folowing search?

YOUR_SEARCH | where (strftime(now(),"%Y%m")=="201806" AND searchDate="201806" AND createDate!="2018/07" ) OR (strftime(now(),"%Y%m")=="201807" AND createDate="2018/07")

Thanks

vjagani_splunk · ‎01-24-2019

Thanks, @kamlesh_vaghela,
I have a similar problem and here I'm putting the generic answer for this question. Your answer helped a lot because accepted answer we can only use in the dashboard but this can be used anywhere even I've used this in a macro.

| where (your_high_level_search_with_first_value AND condition_related_to_first_value) OR (your_high_level_search_with_second_value AND condition_related_to_second_value) OR ....so on.

how to add dynamic conditions in a query?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!