Splunk Search

how to use if else condition in forms ?

ncbshiva
Communicator

I have a form with a field called "ORDERID" where a splunk user can enter the ORDERID for example 269092915. I want my form to run the search based on what the user inputs and check the ORDERSTATUS condition , for example is it "CLOSED" or "OPEN".

so, the logic should be:
if (input=269092915)
then check the ORDERSTATUS
if ORDERSTATUS is CLOSED
then splunk search="index=....."
ELSE
if ORDERSTATUS is OPEN
then splunk search="index=
....."

how i can use these conditions in forms
Thanks

Tags (1)

ncbshiva
Communicator

Hai the code which u have given is showing some error,
So i have given the search queries for both OPEN and CLOSED below.

So, can u provide a detailed code by using these search queries.

0 Karma

ncbshiva
Communicator

Hai the code which u have given is showing some error,
So i will provide u the search query for open that is

source="/home/Techm/Desktop/OMS data/TABLE_X_I_WP_TASK1.csv" X_STATUS="Execution" X_I_WP_TASK2SUBPROJECT=$X_I_WP_TASK2SUBPROJECT$ | table X_I_WP_TASK2SUBPROJECT,X_ACTUAL_START_DATE,X_COMMITTED_END_DATE,X_COMMITTED_START_DATE,ID_map | rename ID_map as TASK_NUMBER | join TASK_NUMBER [search source="/home/Techm/Desktop/OMS data/CLASSIC_TASK_NAMES.csv"] | table TASK_GROUP,TASK_NAME,X_I_WP_TASK2SUBPROJECT,X_ACTUAL_START_DATE,X_COMMITTED_END_DATE,X_COMMITTED_START_DATE | eval j2=X_COMMITTED_END_DATE | eval j1=X_COMMITTED_START_DATE | eval d1=strptime(j1,"%d-%b-%y") | eval d2=strptime(j2,"%d-%b-%y") | eval X = (d2-d1)/86400 | eval k2=X_COMMITTED_END_DATE | eval k1=X_ACTUAL_START_DATE | eval c1=strptime(k1,"%d-%b-%y") | eval c2=strptime(k2,"%d-%b-%y") | eval Y = (c2-c1)/86400 | eval Delay=(X-Y) | where Delay>1 | rename Delay as "DELAY IN COMPLETION OF TASK" |join TASK_GROUP [search source="/home/Techm/Desktop/OMS data/AVERAGE_CLOSE_TIME3.csv" NOT "Avg_Close_Time"] | rename EXPECTED as "EXPECTED DAYS REQUIRED TO COMPLETE THE ORDER" | table TASK_GROUP,TASK_NAME,"DELAY IN COMPLETION OF TASK","EXPECTED DAYS REQUIRED TO COMPLETE THE ORDER" |rename TASK_GROUP as "PRIMARY TASK"|rename TASK_NAME as "SUB TASK"

search query for closed is
source="/home/Techm/Desktop/OMS data/TABLE_X_I_WP_TASK1.csv" X_STATUS="Ended" X_I_WP_TASK2SUBPROJECT=$X_I_WP_TASK2SUBPROJECT$ ID_map!=" " | table OBJID,ID_map,X_ACTUAL_START_DATE,X_COMMITTED_END_DATE,X_COMMITTED_START_DATE,S_X_TASK_ID,S_X_DESCRIPTION,X_I_WP_TASK2SUBPROJECT | rename OBJID as CONTRACTID |rename ID_map as TASK_NUMBER | join TASK_NUMBER [search source="/home/Techm/Desktop/OMS data/CLASSIC_TASK_NAMES.csv" TASK_NUMBER!=" "] | table CONTRACTID,TASK_NUMBER,S_X_TASK_ID,TASK_NAME,TASK_GROUP,X_I_WP_TASK2SUBPROJECT,X_ACTUAL_START_DATE,X_COMMITTED_END_DATE,X_COMMITTED_START_DATE | eval j2=X_COMMITTED_END_DATE

| eval j1=X_COMMITTED_START_DATE
| eval d1=strptime(j1,"%d-%b-%y")
| eval d2=strptime(j2,"%d-%b-%y")
| eval diff = (d2-d1)/86400 | table CONTRACTID,TASK_NUMBER,S_X_TASK_ID,TASK_NAME,TASK_GROUP,X_I_WP_TASK2SUBPROJECT,diff | stats avg(diff) as Avg_Close_Time by TASK_GROUP

can u provide the detailed code using this search queries......

0 Karma

sideview
SplunkTrust
SplunkTrust

I do not believe that this can be done in the search language because you can't fork execution of a search pipeline depending on conditions.

This can be done in a couple ways in the UI layer using Sideview Utils though.

Both of these use lots of different Sideview modules, but the crux of this first one uses the ResultsValueSetter to "pull down" the CLOSED/OPEN field value, and then the Switcher module to fork the dashboard config based on whether the value is OPEN or CLOSED.

<module name="TextField">
  <param name="name">orderId</param>
  <!-- plug the user's orderId into the search -->
  <module name="Search">
    <param name="search">... ORDERID="$orderId$" | stats last(ORDERSTATUS) as ORDERSTATUS</param>
    <!-- pull down the CLOSED/OPEN value so we can refer to it as $ORDERSTATUS$ -->
    <module name="ResultsValueSetter">
      <param name="fields">ORDERSTATUS</param>
      <!-- Note the group attributes on the modules immediately *below* the Switcher. -->
      <module name="Switcher" group=" ">
        <param name="selectedGroup">$ORDERSTATUS$</param>
        <module name="Search" group="OPEN">
          <param name="search">... ORDERID="$orderId$" | here is your search if the status is OPEN</param>
          <module name="Pager">
            <module name="Table"/>
          </module>
        </module>
        <module name="Search" group="CLOSED">
          <param name="search">... ORDERID="$orderId$" | here is your search if the status is CLOSED</param>
          <module name="Pager">
            <module name="Table"/>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

2) There's another way that doesn't involve the Switcher module, although in this method you use the search language itself to create a search string, which is a little strange...

<module name="TextField">
  <param name="name">orderId</param>
  <!-- plug the user's orderId into the search -->
  <module name="Search">
    <param name="search">... ORDERID="$orderId$" | stats last(ORDERSTATUS) as ORDERSTATUS | eval searchStr=if(ORDERSTATUS=="OPEN","| some command | if the order is open","| some other commands | if the order is closed")</param>
    <!-- pull down the searchStr value so we can refer to it as $searchStr$ -->
    <module name="ResultsValueSetter">
      <param name="fields">searchStr</param>
      <module name="Search">
        <param name="search">... ORDERID="$orderId$" | $searchStr$</param>
        <module name="Pager">
          <module name="Table"/>
        </module>
      </module>
    </module>
  </module>
</module>

The advanced XML syntax is intimidating, but if you download Sideview Utils it contains little mini tutorials that show you how each module works one step at a time.

And I actually don't think there is any way to do this without using Sideview Utils, short of modifying or extending the core UI yourself by writing significant amount of Javascript.

ncbshiva
Communicator

The searches for closed and open cases are different.

0 Karma

sideview
SplunkTrust
SplunkTrust

The searches in your closed vs open cases are identical. However it seems implied that you want to run different searches depending on the open vs closed determination. Can you clarify, or add the rest of your search language?

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...