Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to exclude condition from search depending on variable?

yurykiselev
Path Finder
‎06-21-2017 11:52 PM

Hi!

On my dashboard there is the dropdown list. I want to exlude its token criteria from search query if default value "notdef" is selected. i.e.:

if("$dropdown_token$" == "notdef")
    | WHERE param1 = $param1_token$ AND param2 = $param2_token$
else
    | WHERE param1 = $param1_token$ AND param2 = $param2_token$ AND dropdown_param = $dropdown_token$

I tried to use match replaceing "notdef" by empty sting while "notdef" is selected:

| eval dropdown_req = if("$dropdown_token$" == "notdef", "", "$dropdown_token$")
| WHERE param1 = $param1_token$ AND param2 = $param2_token$ AND match(dropdown_param, dropdown_req)

, but values of $dropdown_token$ include the sign "*" (e.g. "*A") and it doesn't work in regex in match().

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎06-22-2017 02:48 AM

You can create the where filter directly from change event of the dropdown using eval. I have given an example based on the details provided. Dropdown choice values might change as per your use case (I expected one of the choice values is notdef).

<input type="dropdown" token="dropdown_token" searchWhenChanged="true">
  <label>Select Field</label>
  <choice value="notdef">Not Defined</choice>
  <choice value="*">All</choice>
  <change>
    <eval token="filterQuery">if($value$=="notdef"," | WHERE param1=$param1_token$ AND param2=$param2_token$", " | WHERE param1=$param1_token$ AND param2=$param2_token$ AND dropdown_param = $value$")</eval>
  </change>
</input>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution

yurykiselev
Path Finder
‎06-22-2017 05:30 AM

I solved this using token prefix-postfix:

  <prefix>| where dropdown_param = "</prefix>
  <suffix>"</suffix>

and blank as default value.

Thank you all!

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎06-22-2017 02:48 AM

You can create the where filter directly from change event of the dropdown using eval. I have given an example based on the details provided. Dropdown choice values might change as per your use case (I expected one of the choice values is notdef).

<input type="dropdown" token="dropdown_token" searchWhenChanged="true">
  <label>Select Field</label>
  <choice value="notdef">Not Defined</choice>
  <choice value="*">All</choice>
  <change>
    <eval token="filterQuery">if($value$=="notdef"," | WHERE param1=$param1_token$ AND param2=$param2_token$", " | WHERE param1=$param1_token$ AND param2=$param2_token$ AND dropdown_param = $value$")</eval>
  </change>
</input>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

dineshraj9
Builder
‎06-22-2017 12:07 AM

Can you try this way -

| eval flag=if(like("$dropdown_token$","notdef"),"*","$dropdown_token$") | search param1=$param1_token$ AND param2=$param2_token$ | where dropdown_param=flag
0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...