Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboard Search - Include Field When Exists

pkohn117
Explorer
‎01-04-2024 07:39 AM

I'm creating a dashboard to easily search through our web proxy logs and table out the results when troubleshooting. The issue is that sometimes the logs don't contain a destination IP, sometimes they do.

For the dashboard fields that you can input, one of them I want to be able to specify sometimes is the destination IP (field: dest_ip), however, the field doesn't always exist so if I use the following search (I'm excluding the tabling):

index=proxy c_ip=$cip$ cs_host=$cshost$ action=$action$ dest_ip=$destip$

Dashboard values:

c_ip=1.2.3.4

cs_host=* (default)

action=* (default)

dest_ip=* (default)

It will exclude some of the logs since they don't all have the field "dest_ip"

The other 3 fields exist in all logs.  In the dashboard you can input values for each of the fields.  I'm trying to allow that for dest_ip but it doesn't always exist - that's the issue I'm trying to overcome.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dtburrows3
Builder
‎01-04-2024 07:59 AM

Does this give you the intended behaviour?

 

index=proxy c_ip=$cip$ cs_host=$cshost$ action=$action$ (dest_ip=$destip$ OR NOT dest_ip=*)

 

I think including an (dest_ip=$destip$ OR NOT dest_ip=*) will search any token input but also include results for events that don't have a dest_ip field in them.

The only issue I see with this is that if a dashboard user is looking for a specific dest_ip now then they will get results matching all the other field criteria and have null dest_ip.

Maybe if you wanted to filter off the events with null dest_ip when a specific dest_ip is being searched (anything other than "*") then you could add some additional filter criteria.

index=proxy c_ip=$cip$ cs_host=$cshost$ action=$action$ (dest_ip=$destip$ OR NOT dest_ip=*)
    | eval filter_off=if(NOT "$destip$"=="*" AND isnull(dest_ip), 1, 0)
    | where 'filter_off'==0

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dtburrows3
Builder
‎01-04-2024 07:59 AM

Does this give you the intended behaviour?

 

index=proxy c_ip=$cip$ cs_host=$cshost$ action=$action$ (dest_ip=$destip$ OR NOT dest_ip=*)

 

I think including an (dest_ip=$destip$ OR NOT dest_ip=*) will search any token input but also include results for events that don't have a dest_ip field in them.

The only issue I see with this is that if a dashboard user is looking for a specific dest_ip now then they will get results matching all the other field criteria and have null dest_ip.

Maybe if you wanted to filter off the events with null dest_ip when a specific dest_ip is being searched (anything other than "*") then you could add some additional filter criteria.

index=proxy c_ip=$cip$ cs_host=$cshost$ action=$action$ (dest_ip=$destip$ OR NOT dest_ip=*)
    | eval filter_off=if(NOT "$destip$"=="*" AND isnull(dest_ip), 1, 0)
    | where 'filter_off'==0

 

0 Karma
Reply
Solved! Jump to solution

pkohn117
Explorer
‎01-04-2024 11:50 AM

The second part worked great!  thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...