- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How do I search with dbxquery from a field to allo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a field setup to accept the value for user , but I can not figure out how to change the code to accept a value that will cause all values to be returned from the table. I will be trying to setup multiple fields to do the same thing with the other values in the table.
| dbxquery query="SELECT \"AUDIT_EVENT\".\"EVENT_TIMESTAMP\",\"AUDIT_EVENT\".\"EVENT_ID\",\"EVENT_VALUE_1\",\"EVENT_VALUE_1_PARAM\",\"EVENT_VALUE_2\",\"PROFILE_ID\" FROM \"ThisDatabase\".\"dbo\".\"AUDIT_EVENT_DETAIL\" JOIN \"AUDIT_EVENT\" ON \"AUDIT_EVENT\".\"EVENT_ID\"=\"AUDIT_EVENT_DETAIL\".\"EVENT_ID\"WHERE EVENT_VALUE_1_PARAM = 'Attempted user name' AND EVENT_VALUE_1 = '$user$'" connection="DEV-SQLAccount"
No default values will make this work. I am trying to pass "IS NOT NULL" to the the result , but may need to convert a default value of a start to this. However the user must also be able to put a user in the field and still do a search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if i'm understanding what you're looking to do, i'm working on a similar thing and i've come up with this solution (using a multiselect input):
...and regexp_like(EVENT_VALUE_1,'$user$')
would go into your dbxquery. your tokens would have these settings:
<input type="multiselect" token="user">
<label>User</label>
<choice value="^">All</choice>
<default>^</default>
<delimiter>|</delimiter>
<fieldForLabel>user</fieldForLabel>
<fieldForValue>user</fieldForValue>
<search>
<query>query that grabs all users</query>
</search>
</input>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try with LIKE command to compare EVENT_VALUE_1 with $user$ and in your text box for user input, use % as default value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if i'm understanding what you're looking to do, i'm working on a similar thing and i've come up with this solution (using a multiselect input):
...and regexp_like(EVENT_VALUE_1,'$user$')
would go into your dbxquery. your tokens would have these settings:
<input type="multiselect" token="user">
<label>User</label>
<choice value="^">All</choice>
<default>^</default>
<delimiter>|</delimiter>
<fieldForLabel>user</fieldForLabel>
<fieldForValue>user</fieldForValue>
<search>
<query>query that grabs all users</query>
</search>
</input>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes it is as easy as using the LIke command instead of the "=" comparison. Then changing the default fields value to a %.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes it is as simple as using the Like Command and changing the default field values to %.
| dbxquery query="SELECT \"AUDIT_EVENT\".\"EVENT_TIMESTAMP\",\"AUDIT_EVENT\".\"EVENT_ID\",\"EVENT_VALUE_1\",\"EVENT_VALUE_1_PARAM\",\"EVENT_VALUE_2\",\"PROFILE_ID\" FROM \"ThatDatabase\".\"dbo\".\"AUDIT_EVENT_DETAIL\" JOIN \"AUDIT_EVENT\" ON \"AUDIT_EVENT\".\"EVENT_ID\"=\"AUDIT_EVENT_DETAIL\".\"EVENT_ID\"WHERE EVENT_VALUE_1_PARAM = 'Attempted user name' AND EVENT_VALUE_1 Like '$user$' " connection="SomeDEV-SQLAccount"
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
