Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboard Search - Include Field When Exists

pkohn117
Explorer
‎01-04-2024 07:39 AM

I'm creating a dashboard to easily search through our web proxy logs and table out the results when troubleshooting. The issue is that sometimes the logs don't contain a destination IP, sometimes they do.

For the dashboard fields that you can input, one of them I want to be able to specify sometimes is the destination IP (field: dest_ip), however, the field doesn't always exist so if I use the following search (I'm excluding the tabling):

index=proxy c_ip=$cip$ cs_host=$cshost$ action=$action$ dest_ip=$destip$

Dashboard values:

c_ip=1.2.3.4

cs_host=* (default)

action=* (default)

dest_ip=* (default)

It will exclude some of the logs since they don't all have the field "dest_ip"

The other 3 fields exist in all logs.  In the dashboard you can input values for each of the fields.  I'm trying to allow that for dest_ip but it doesn't always exist - that's the issue I'm trying to overcome.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dtburrows3
Builder
‎01-04-2024 07:59 AM

Does this give you the intended behaviour?

 

index=proxy c_ip=$cip$ cs_host=$cshost$ action=$action$ (dest_ip=$destip$ OR NOT dest_ip=*)

 

I think including an (dest_ip=$destip$ OR NOT dest_ip=*) will search any token input but also include results for events that don't have a dest_ip field in them.

The only issue I see with this is that if a dashboard user is looking for a specific dest_ip now then they will get results matching all the other field criteria and have null dest_ip.

Maybe if you wanted to filter off the events with null dest_ip when a specific dest_ip is being searched (anything other than "*") then you could add some additional filter criteria.

index=proxy c_ip=$cip$ cs_host=$cshost$ action=$action$ (dest_ip=$destip$ OR NOT dest_ip=*)
    | eval filter_off=if(NOT "$destip$"=="*" AND isnull(dest_ip), 1, 0)
    | where 'filter_off'==0

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dtburrows3
Builder
‎01-04-2024 07:59 AM

Does this give you the intended behaviour?

 

index=proxy c_ip=$cip$ cs_host=$cshost$ action=$action$ (dest_ip=$destip$ OR NOT dest_ip=*)

 

I think including an (dest_ip=$destip$ OR NOT dest_ip=*) will search any token input but also include results for events that don't have a dest_ip field in them.

The only issue I see with this is that if a dashboard user is looking for a specific dest_ip now then they will get results matching all the other field criteria and have null dest_ip.

Maybe if you wanted to filter off the events with null dest_ip when a specific dest_ip is being searched (anything other than "*") then you could add some additional filter criteria.

index=proxy c_ip=$cip$ cs_host=$cshost$ action=$action$ (dest_ip=$destip$ OR NOT dest_ip=*)
    | eval filter_off=if(NOT "$destip$"=="*" AND isnull(dest_ip), 1, 0)
    | where 'filter_off'==0

 

0 Karma
Reply
Solved! Jump to solution

pkohn117
Explorer
‎01-04-2024 11:50 AM

The second part worked great!  thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...