topic Re: How come the text input token is not filtering out all results? in Splunk Search

How come the text input token is not filtering out all results?

gbwilson — Fri, 05 Oct 2018 18:32:46 GMT

I'm having trouble filtering results using a text input token.

When I enter the name of an application, the record with the correct app name is returned but so are other fields where the Application is listed as Unknown/null. I'm guessing this has something to do with the token being in a subsearch, but I can't seem to prevent the other rows being returned.

Let's say I'm searching for Application "test". I just want to see the first row, instead I see:
VM IP OperatingSystem_Code Application BusinessAppOwner BusinessAppSME ITAppOwner ITAppSME
Test 1.2.3 Windows Test Person A Person B Person C Person D
Test1 4.5.6 Wndows Unknown
Test2 7.8.9 Linux Unknown
Test3 10.1.2 Linux Unknown
.....

<panel>
    <label>VM</label>
    <default>*</default>
    <prefix>VM="</prefix>
    <suffix>"</suffix>
  </input>
  <input type="text" token="appfield" searchWhenChanged="true">
    <label>Application</label>
    <default>*</default>
    <prefix>Application="</prefix>
    <suffix>"</suffix>
  </input>
  <table>
    <title>VM</title>
    <search>
      <query>index=cms_vm OperatingSystem_Code=*2008* $vmname$ | dedup VM| eval VM=upper(VM)| join type=outer VM [search index="cms_app_server" earliest="10/01/2018:00:00:00" latest="10/01/2018:24:00:00" "$appfield$" | fields VM Application]| join type=outer Application [search index="cms_application" earliest=1 latest=now() | dedup Code | fields Application BusinessAppOwner BusinessAppSME ITAppOwner ITAppSME] | table VM IP OperatingSystem_Code Application BusinessAppOwner BusinessAppSME ITAppOwner ITAppSME| fillnull value=Unknown Application| rename Asset AS "Asset Type", OperatingSystem_Code AS "Operating System"
      <earliest>1537848000</earliest>
      <latest>1537934400</latest>
    </search>
    <option name="count">20</option>
    <option name="drilldown">none</option>
    <option name="refresh.display">progressbar</option>
  </table>
</panel>

Re: How come the text input token is not filtering out all results?

Vijeta — Fri, 05 Oct 2018 19:01:23 GMT

Can you give Application= “$apptoken$” in your search

Re: How come the text input token is not filtering out all results?

nswondem — Fri, 05 Oct 2018 19:07:29 GMT

Consider adding Application=* to eliminate any null values.

Re: How come the text input token is not filtering out all results?

nswondem — Fri, 05 Oct 2018 19:09:27 GMT

Here's an example:

[search index="cms_app_server" earliest="10/01/2018:00:00:00" latest="10/01/2018:24:00:00" Application=* "$appfield$" | fields VM Application]

Re: How come the text input token is not filtering out all results?

gbwilson — Fri, 05 Oct 2018 19:11:28 GMT

I've tried doing that, but I still get the same issue where the Unknown results still appear.

Re: How come the text input token is not filtering out all results?

Vijeta — Fri, 05 Oct 2018 19:16:38 GMT

Why are you using an outer join? Do you want the events from index cms_vm to be always displayed or to be displayed when the join condition matches. You can use join type=inner for that case.

Re: How come the text input token is not filtering out all results?

gbwilson — Fri, 05 Oct 2018 19:21:43 GMT

I want to see all events, not just ones where the condition matches.

Re: How come the text input token is not filtering out all results?

gbwilson — Fri, 05 Oct 2018 19:23:50 GMT

I've tried this too. When I try this null values still appear in the stats table not just the record that fits the token criteria.

Re: How come the text input token is not filtering out all results?

Vijeta — Tue, 29 Sep 2020 21:33:45 GMT

your VM field is the key between index cms_vm and cms_app_server.
Since your VM values Test, Test1, Test2, Test3 is present in outer query so all the rows are appearing.
You are searching on Application field within the inner query, so the inner query is giving you only first row but due to outer quesry you are getting all the rows which have blank application and then you have one more outer join.
Your where should be just before table-

|where Application="$appfield$" | table VM IP OperatingSystem_Code Application BusinessAppOwner BusinessAppSME ITAppOwner ITAppSME|

Re: How come the text input token is not filtering out all results?

gbwilson — Fri, 05 Oct 2018 20:00:08 GMT

Yeah I know it's tricky with the outer joins. I tried your suggestion but get "No results found" even when all tokens are on 'Select *'

Re: How come the text input token is not filtering out all results?

Vijeta — Fri, 05 Oct 2018 20:06:00 GMT

If the appfield token has the value, then it should be able to filter in the where clause. if appfield is TEST then you should get first row. Did you try removing the quotes like where Application=$appfield$

Also you can see the runtime token value on the dashboard URL as form.appfield=value, so that can help to check if the token is populating correctly.

Re: How come the text input token is not filtering out all results?

gbwilson — Fri, 05 Oct 2018 20:22:20 GMT

The token looks like it's populating correctly based on the dashboard URL. I also tried removing the quotes, but it still doesn't provide any results.