Splunk conditional search

Question

I want to do this.

If scope == 'request':

    search request_type=*

elif scope == 'site':

    search request_type=* site=*

scope == 'zone':

    search request_type=* site=* zone=*

scope == 'cluster':

    search request_type=* site=* zone=* cluster=*

And I just can't make it happen. Why is this so hard? I tried a gen'ing up a search string. I tried a multisearch. I don't want charts per scope type. That is ugly. I can't do something like this:

eval search_string="request_type=* site=* zone=* cluster=*" | search $search_string$

I also tried a conditional multi-search. I get no filtering from that.

| multisearch 
    [search $request_type_token$ | where "$scope_token$" == "request_type" ] 
    [search $request_type_token$ $site_token$ | where "$scope_token$" == "site"] 
    [search $request_type_token$ $site_token$ $zone_token$ | where "$scope_token$" == "zone"] 
    [search scope=$scope_token$ $request_type_token$ $site_token$ $zone_token$ $cluster_token$ | where "$scope_token$" == "cluster"] 

Answer 1

Since this is taking place on a dashboard (else you wouldn't have tokens), you may be best-off building the possible searches into separate panels, and only displaying the one you choose by using the depends="$token$" option on each panel - using a conditional eval when a dropdown item is chosen

https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML

Answer 2

multisearch is not the right approach as it will run all 4 searches simultaneously.

You should be able to build the search string in a subsearch something like this:

index=foo request_type=* [| makeresults 
  | eval search=case($token$="site","site=*", 
                     $token$="zone", "site=* zone=*", 
                     $token$="cluster", "site=* zone=* cluster=*", 
                     1==1, "") 
  | fields search]

The subsearch evaluates the token and sets the search string based on the selected value. The 1==1 case catches any unexpected values.