All Apps and Add-ons

Custom Dashboard/Form - Don't require all input fields to search

jchampagne
Path Finder

I've created a custom dashboard with a search form. I've got several input fields for users to search with, however I cannot set the default value to * because not every field appears in every row.

If I leave the fields blank, Splunk will leave out the token from my search string...which is what I want. However, the first time I try to run a search, my results panel sits at "Search is waiting for input..." until I fill in all of my input fields. All subsequent searches don't require a value in every field.

If I use * in each field, events that are missing a field are omitted from the results. The only other way I can think to get around this is to use fillnull on my result set. However, that seems like an intense search to me, as Splunk would need to grab all my results, fill in the null values, and then do a second search.

musskopf
Builder

I think fillnull is the best approach. You could use and | eval ifnull(field) bla bla bla, but it would be even more intensive.

The approach I use with heavy dashboards is to create a couple of reports, outputting all to a table and scheduling it to run every X minutes/hours. I than create my dashboard using searches starting with:

 | loadjob "admin:search:my saved report" | search fieldA="1" AND fieldB="*" | stats count by fieldC

You can do all lookups, fillnulls and any data cleansing at the schedule report phase and the dashboard will run fast, very fast!

The pitfall is, that the "loadjob" command will only work if the report already ran and has results. The report needs to run at least once via scheduler. You can keep eye on your "Activity->Jobs" and you'll see your saved report running and completed.

Cheers

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...