topic Re: How to create a filter on the field fetch using REX? in Splunk Search

How to create a filter on the field fetch using REX?

Real_captain — Mon, 29 Apr 2024 10:34:03 GMT

Can someone help me to find a way to create a Dropdown Input on the field which is extracted using a REX command.

Example: For the below search, I want to add a new dropdown Input with the 3 values :
a) Incoming b) Outgoing c) Both

If user select Incoming, only those records with the direction as incoming will be displayed.

If user select Outgoing, only those records with the direction as Outgoing will be displayed.

If user select Both, all the records (Direction as incoming or outgoing) will be displayed.

Query:

index=events_prod_cdp_penalty_esa source="SYSLOG" sourcetype=zOS-SYSLOG-Console (TERM(VV537UP) OR TERM(VVF119P) ) ("- ENDED" OR "- STARTED" OR "PURGED --")
| rex field=TEXT "((VV537UP -)|(VVF119P -))(?<Func>[^\-]+)"
| fillnull Func value=" PURGED"
| eval Function=trim(Func)
| eval DAT = strftime(relative_time(_time, "+0h"), "%d/%m/%Y")
| rename DAT as Date_of_reception
| eval {Function}_TIME=_time
| stats values(Date_of_reception) as Date_of_reception values(*_TIME) as *_TIME by JOBNAME
| eval Description= case('JOBNAME' == "$VVF119P", "Reception of the CFI file from EB and trigger planning PVVZJH." ,
'JOBNAME' == "$VV537UP", "Unload of VVA537 for Infocentre." ,
1=1,"NA")
| eval DIRECTION= case('JOBNAME' == "$VVF119P", "INCOMING" , 'JOBNAME' == "$VV537UP", "OUTGOING" ,
1=1,"NA")
| eval Diff=ENDED_TIME-STARTED_TIME
| eval TimeDiff=now() - STARTED_TIME
| eval Status =
if(isnotnull(ENDED_TIME) AND (Diff<=120),"OK",if(isnotnull(ENDED_TIME) AND (Diff>120),"BREACHED",
if(isnull(ENDED_TIME) AND isnull(STARTED_TIME),"PLANNED",if(isnull(ENDED_TIME) AND isnotnull(STARTED_TIME) AND (TimeDiff>1000),"FAILED",
if(isnull(ENDED_TIME) AND isnotnull(STARTED_TIME) and (TimeDiff>1000),"RUNNING","WARNING")))))
| fieldformat STARTED_TIME=strftime((STARTED_TIME),"%H:%M:%S")
| fieldformat ENDED_TIME=strftime((ENDED_TIME),"%H:%M:%S")
| fieldformat PURGED_TIME=strftime( PURGED_TIME,"%H:%M:%S")
| eval diff_time = tostring(Diff , "duration")
| eval diff_time_1=substr(diff_time,1,8)
| rename diff_time_1 as EXECUTION_TIME
| table JOBNAME,Description,DIRECTION , Date_of_reception ,STARTED_TIME , ENDED_TIME , PURGED_TIME , EXECUTION_TIME , Status
| sort -STARTED_TIME

Re: How to create a filter on the field fetch using REX?

ITWhisperer — Mon, 29 Apr 2024 10:44:19 GMT

I am not sure where rex comes into it - you could set up a static drop down like this

Label	Value
Incoming	\| where DIRECTION=="INCOMING"
Outgoing	\| where DIRECTION=="OUTGOING"
Both

Then just place the token in your search after the DIRECTION eval

| eval DIRECTION= case('JOBNAME' == "$VVF119P", "INCOMING" , 'JOBNAME' == "$VV537UP", "OUTGOING" , 1=1,"NA") $direction_selector_token$ | eval Diff=ENDED_TIME-STARTED_TIME

Re: How to create a filter on the field fetch using REX?

Real_captain — Mon, 29 Apr 2024 12:16:55 GMT

Sorry, I want to create an input (free text) on the field "JOBNAME" which is extracted via rex.

Is it possible?

Below input is working fine when I put a job name in the free_text input but when i give nothing or * in the

free_text input , it gives me no result.

<input type="text" token="free_text" searchWhenChanged="true"> <label>Free_Text</label> <default>*</default> <prefix>| where JOBNAME = "</prefix> <suffix>"</suffix> <initialValue>*</initialValue> </input>

Any way to create an input filter as a free text for the field JOBNAME ??

I am using Free text input because there are more than 500 jobs and in the dropdown it does not look good.

Re: How to create a filter on the field fetch using REX?

ITWhisperer — Mon, 29 Apr 2024 11:47:44 GMT

Where doesn't support wildcards in this way, try using search instead of where