1

I'm creating a Dashboard in Splunk. It has one dropdown menu to select App-name(App1 or App2), another drop-down to select log_type (Detailed and App_specific), and a Search panel to show output of search query.

For instance,

  1. If user selects App1 and log_type as app_specific, then the Panel should result for the query:

index=App1 "taskExecutor-1" | sort -_time | table msg

For App1, selecting app_specific should add "taskExecutor-1" to the query.

  1. If user selects App2 and log_type as app_specific, then the Panel should result for the query:

index=App2 "ool-44-thread-1" | sort -_time | table msg

For App2, selecting app_specific should add "ool-44-thread-1" to the query.

    1. If user selects App1 and log_type as Detailed, then the Panel should result for the query:

index=App1 | sort -_time | table msg

Selecting Detailed should not anything to the query. Or we can say, an empty value.

How can I customize the query to accommodate such behavior in Splunk? Is there any any if/else or case functionality in Splunk that can help achieve this behavior?

user2769790
  • 123
  • 1
  • 17

1 Answers1

1

Investigate dashboard tokens

In your input field(s) (radio, dropdown, etc) on your dashboard, set the token to have multiple possible options (static or dynamic - your choice)

Then in your SPL, do the following:

index=ndx "$mytoken$" msg=*
| sort 0 - _time
| table msg
warren
  • 32,620
  • 21
  • 85
  • 124
  • I understand that part of using Splunk Tokens. But I want an if-else condition in the SPL, so I don't have to create multiple tokens. – user2769790 Nov 16 '21 at 18:19
  • @user2769790 - my example only uses one token - it just gets different values based on the selection made :) – warren Nov 16 '21 at 18:39
  • Yeah. But then, I will have to create a separate token for "ool-44-thread-1" and "taskExecutor-1". I have already created tokens for App2 and App1 and log_type. if someone selects App1 and log_type as app_specific, then the query should be automatically able to use "taskExecutor-1" in the query.. if someone selects App1 and log_type as detailed, then the query should be automatically able to use " "/empty. For App2 and app_specific, the query should be automatically able to use "ool-44-thread-1". Hope this helps understanding my goal. – user2769790 Nov 16 '21 at 19:01
  • @user2769790 - then use a dynamically-populated token: you cannot having to enumerate options...if you want the options *enumerated* – warren Nov 17 '21 at 13:46