All Apps and Add-ons

Custom Dashboard/Form - Don't require all input fields to search

jchampagne
Path Finder

I've created a custom dashboard with a search form. I've got several input fields for users to search with, however I cannot set the default value to * because not every field appears in every row.

If I leave the fields blank, Splunk will leave out the token from my search string...which is what I want. However, the first time I try to run a search, my results panel sits at "Search is waiting for input..." until I fill in all of my input fields. All subsequent searches don't require a value in every field.

If I use * in each field, events that are missing a field are omitted from the results. The only other way I can think to get around this is to use fillnull on my result set. However, that seems like an intense search to me, as Splunk would need to grab all my results, fill in the null values, and then do a second search.

musskopf
Builder

I think fillnull is the best approach. You could use and | eval ifnull(field) bla bla bla, but it would be even more intensive.

The approach I use with heavy dashboards is to create a couple of reports, outputting all to a table and scheduling it to run every X minutes/hours. I than create my dashboard using searches starting with:

 | loadjob "admin:search:my saved report" | search fieldA="1" AND fieldB="*" | stats count by fieldC

You can do all lookups, fillnulls and any data cleansing at the schedule report phase and the dashboard will run fast, very fast!

The pitfall is, that the "loadjob" command will only work if the report already ran and has results. The report needs to run at least once via scheduler. You can keep eye on your "Activity->Jobs" and you'll see your saved report running and completed.

Cheers

Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...