Dashboards & Visualizations

Can you help me with my conditional search query involving a token?

jiaqya
Builder

i have a search , which gets an input token as "*" for one of the columns.

i want the search to not run the query if token comes as "" . But, I want it to run if the token actually has some other value other than ""

can you help me figure out how to write this query, below is an example..

index= test_index testcolumn="*" |table _time,testcolumn,column2 - > This should not run as it runs against all values.

but

index= test_index testcolumn="manualvalue" |table _time,testcolumn,column2 - > This should run as it runs against only 1 value.

Any ideas how to get this working, as it's the same token

Tags (2)
0 Karma
1 Solution

niketn
Legend

@jiaqya try the following run anywhere example. The token tokLogLevelFinalFilter is used to filter search results. When All is selected in dropdown ($label$), then the token is unset. When any other value is selected in the dropdown, it is set to dropdown value ($value$).

Please try out and confirm!

<form>
  <label>Token Unset for All</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="tokLogLevel" searchWhenChanged="true">
      <label>Dropdown</label>
      <choice value="*">All</choice>
      <choice value="ERROR">Error</choice>
      <choice value="WARN">Warn</choice>
      <change>
        <condition label="All">
          <unset token="tokLogLevelFinalFilter"></unset>
        </condition>
        <condition>
          <set token="tokLogLevelFinalFilter">$value$</set>
        </condition>
      </change>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <b>Log Level set to $tokLogLevelFinalFilter$</b>
      </html>
      <!-- Add depends="$tokLogLevelFinalFilter$" to table to hide table when Search is not running -->
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level="$tokLogLevelFinalFilter$"
| chart count by log_level component where max in top5
          </query>
        </search>
      </table>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@jiaqya try the following run anywhere example. The token tokLogLevelFinalFilter is used to filter search results. When All is selected in dropdown ($label$), then the token is unset. When any other value is selected in the dropdown, it is set to dropdown value ($value$).

Please try out and confirm!

<form>
  <label>Token Unset for All</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="tokLogLevel" searchWhenChanged="true">
      <label>Dropdown</label>
      <choice value="*">All</choice>
      <choice value="ERROR">Error</choice>
      <choice value="WARN">Warn</choice>
      <change>
        <condition label="All">
          <unset token="tokLogLevelFinalFilter"></unset>
        </condition>
        <condition>
          <set token="tokLogLevelFinalFilter">$value$</set>
        </condition>
      </change>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <b>Log Level set to $tokLogLevelFinalFilter$</b>
      </html>
      <!-- Add depends="$tokLogLevelFinalFilter$" to table to hide table when Search is not running -->
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level="$tokLogLevelFinalFilter$"
| chart count by log_level component where max in top5
          </query>
        </search>
      </table>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jiaqya
Builder

Niket, as i said it worked to some extent, later i used a match instead of using equals and it works perfectly fine now, thanks for your help..

The code that worked for me:

      <condition match="value!=&quot;*&quot;">
        <set token="hostname">$value$</set>
      </condition>
      <condition match="value=&quot;*&quot;">
        <set token="hostanme">QueryCanceled</set>
      </condition>
    </change>

jiaqya
Builder

This works to some extent, i am able to get the values to change now for token.
but when i choose a manual value, it does not refresh immediately.
instead, i see the chosen value when i choose it again, ie , it lags one click behind.

is there a way to get this to refresh on making the manual choice..

0 Karma

493669
Super Champion

why don't you change token value in input

0 Karma

jiaqya
Builder

I Cant change that token value in input.

reason is that i use that token = "*" for another panel to show full data in bar format.

but i also need that same token to show by individual record in another panel on the same dashboard.

so i am guessing i have to do it in the individual search query , but dont know how to..

0 Karma

493669
Super Champion

you can try like this if token is * then change to blank and if it is not * then it will remain same-

|eval token = if(token="*","",token)
0 Karma

jiaqya
Builder

Tried this, but this does not work . the "*" asterix is the problem as it does not allow me to replace the token...since it represents "All" . any other ideas ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...