topic Re: Dashboard to query optional fields in Splunk Search

Dashboard to query optional fields

gtonti — Mon, 21 May 2018 08:35:35 GMT

My log file is:

TimeStamp=20180521095103123 Service=ABC12 User=ut1234 Id=12345678 Msg=ttttttttttttt
TimeStamp=20180521095103456 Service=ABC12 Id=12345678 Msg=xxxxxxxxxxxx
TimeStamp=20180521095103723 Service=ABC12 User=ut1234 Msg=yyyyyyyyyyyyyyyy

I want a dashboard in which I can search for Service, User, Id.
I made three input fields with default="*".

Service
*
User
*
id
*

My query is:

index=xxxx Service=$serviceToken$ User=$userToken$ Id=$idToken$

When I make the query I get only thee first row of the log.
I understood that it is related to fields not present in the log file.

How can I modify my dashboard/query to obtain alle the rows?

Thank you

Re: Dashboard to query optional fields

mayurr98 — Mon, 21 May 2018 09:34:13 GMT

Try this

index=xxxx Service=$serviceToken$ Id=$idToken$ OR User=$userToken$

let me know if this helps!

Re: Dashboard to query optional fields

gtonti — Mon, 21 May 2018 09:56:42 GMT

Thank you for the reply.
It works if I leave * in all the inputs.
If I set User to ut1234 I want only two lines as response of the query (the row 1 and 3).

Thank you

Re: Dashboard to query optional fields

mayurr98 — Mon, 21 May 2018 12:05:40 GMT

Yes, you are right this will not work in that case. This is because you are searching User=ut1234 OR Id=*
In order to write correct search query, you would need to add only those fields which are available in all the events. OR else you would need to find a workaround

Try this

index=xxxx | fillnull value="NA" User |search  Service=$serviceToken$ Id=$idToken$  User=$userToken$

Re: Dashboard to query optional fields

gtonti — Tue, 22 May 2018 10:24:19 GMT

Hi everybody,
I adopted this solution. I created a token using change/condition. In this scenario I changed the default value form "*" to blanck.

The input in the xml dashboard definition is:

<input type="text">
<label>User</label>
<initialValue></initialValue>
<change>
<condition value="">
<set token="userToken"></set>
</condition>
<condition>
<set token="userToken">User=$value$</set>
</condition>
</change>
</input>

the query is:
index=xxx $userToken$

what happens is:
1) if User is empty/blank the query is index=xxx
2) if User has a value the query is index=xxx User=value

Re: Dashboard to query optional fields

duartet — Thu, 06 Feb 2020 14:33:59 GMT

Worked for me! Thanks