All Apps and Add-ons
Highlighted

How do I search with dbxquery from a field to allow ALL values to be returned?

New Member

I have a field setup to accept the value for user , but I can not figure out how to change the code to accept a value that will cause all values to be returned from the table. I will be trying to setup multiple fields to do the same thing with the other values in the table.

| dbxquery query="SELECT \"AUDIT_EVENT\".\"EVENT_TIMESTAMP\",\"AUDIT_EVENT\".\"EVENT_ID\",\"EVENT_VALUE_1\",\"EVENT_VALUE_1_PARAM\",\"EVENT_VALUE_2\",\"PROFILE_ID\" FROM \"ThisDatabase\".\"dbo\".\"AUDIT_EVENT_DETAIL\" JOIN \"AUDIT_EVENT\" ON \"AUDIT_EVENT\".\"EVENT_ID\"=\"AUDIT_EVENT_DETAIL\".\"EVENT_ID\"WHERE EVENT_VALUE_1_PARAM = 'Attempted user name' AND EVENT_VALUE_1 = '$user$'" connection="DEV-SQLAccount"  

No default values will make this work. I am trying to pass "IS NOT NULL" to the the result , but may need to convert a default value of a start to this. However the user must also be able to put a user in the field and still do a search.

0 Karma
Highlighted

Re: How do I search with dbxquery from a field to allow ALL values to be returned?

Super Champion

if i'm understanding what you're looking to do, i'm working on a similar thing and i've come up with this solution (using a multiselect input):

...and regexp_like(EVENT_VALUE_1,'$user$')

would go into your dbxquery. your tokens would have these settings:

<input type="multiselect" token="user">
      <label>User</label>
      <choice value="^">All</choice>
      <default>^</default>
      <delimiter>|</delimiter>
      <fieldForLabel>user</fieldForLabel>
      <fieldForValue>user</fieldForValue>
      <search>
        <query>query that grabs all users</query>
      </search>
    </input>

View solution in original post

0 Karma
Highlighted

Re: How do I search with dbxquery from a field to allow ALL values to be returned?

New Member

Yes it is as simple as using the Like Command and changing the default field values to %.

| dbxquery query="SELECT \"AUDIT_EVENT\".\"EVENT_TIMESTAMP\",\"AUDIT_EVENT\".\"EVENT_ID\",\"EVENT_VALUE_1\",\"EVENT_VALUE_1_PARAM\",\"EVENT_VALUE_2\",\"PROFILE_ID\" FROM \"ThatDatabase\".\"dbo\".\"AUDIT_EVENT_DETAIL\" JOIN \"AUDIT_EVENT\" ON \"AUDIT_EVENT\".\"EVENT_ID\"=\"AUDIT_EVENT_DETAIL\".\"EVENT_ID\"WHERE EVENT_VALUE_1_PARAM = 'Attempted user name' AND EVENT_VALUE_1 Like '$user$'  " connection="SomeDEV-SQLAccount"  
0 Karma
Highlighted

Re: How do I search with dbxquery from a field to allow ALL values to be returned?

New Member

Yes it is as easy as using the LIke command instead of the "=" comparison. Then changing the default fields value to a %.

0 Karma
Highlighted

Re: How do I search with dbxquery from a field to allow ALL values to be returned?

SplunkTrust
SplunkTrust

Try with LIKE command to compare EVENT_VALUE_1 with $user$ and in your text box for user input, use % as default value.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.