Hi,
Our text search bar filter works for all panels but one. However, it does load new data initially when booting the dashboard. According to the user which uses this dashboard, it stopped working after one of our Splunk admins added the _time field in the table (I don't feel this is the case). Below is the search query for the panel NOT working with our search bar filter:
sourcetype=cerberus-ftp host=SERVER_NAME (src_ip="" OR user="" OR (file="" AND file_action="")) *
| transaction connection_id
| mvexpand file
| mvexpand file_action
| rex field=file_action mode=sed "s/stored/Uploaded/g"
| rex field=file_action mode=sed "s/sent/Downloaded/g"
| rex field=file_action mode=sed "s/deleted/Deleted/g"
| search file_action=Uploaded
| table _time, file, file_action
| dedup file
Below are the three dashboard panel search queries which ARE working with our search bar filter:
host=SERVER_NAME sourcetype="SOURCE" EventCode!=500 *PRD
| table _time, SourceName, EventCode, file
| eval SourceName = mvindex(SourceName,0)
| lookup workday_sftp_sql_eventcodes EventCode OUTPUT Action
| fields _time, SourceName, file, Action
| sort -_time
| table file
| dedup file
sourcetype=cerberus-ftp host=SERVER_NAME(src_ip="" OR user="" OR (file="" AND file_action="")) *PRD
| transaction connection_id
| mvexpand file
| mvexpand file_action
| rex field=file_action mode=sed "s/stored/Uploaded/g"
| rex field=file_action mode=sed "s/sent/Downloaded/g"
| rex field=file_action mode=sed "s/deleted/Deleted/g"
| table _time, connection_id, user, src_ip, file, file_action
host=SERVER_NAME sourcetype="SOURCE" EventCode!=500 *PRD
| table _time, SourceName, EventCode, file
| eval SourceName = mvindex(SourceName,0)
| lookup workday_sftp_sql_eventcodes EventCode OUTPUT Action
| fields _time, SourceName, file, Action
| sort -_time
Any help with this is greatly appreciated!
Fraser
| search file_action=Uploaded
No1 query selects file_action. Through no result, I think.
This is my recommend query:
sourcetype=cerberus-ftp host=SERVER (src_ip=$tokenA$ OR user=$tokenB$ OR (file=$tokenC$ AND file_action=$tokenD$))
| eval file_action=case(match(file_action,"stored"),"Uploaded",match(file_action,"sent"),"Downloaded",match(file_action,"deleted"),"Deleted")
| eval file_action = file.":".file_action
| stats first(_time) as _time list(file_action) as file_action by connection_id
| stats values(_time) as _time by file_action
| eval file=mvindex(split(file_action,":"),0)
| eval file_action=mvindex((split(file_action,":"),1)
| table _time, file, file_action
#1 & #3 is same?
Apologies. I don't know how I ended up doing that. Just for clarification, I just checked the queries for number #1 and #3 dashboard. They are very similar, yet the third one works and the first one does not... see below:
sourcetype=cerberus-ftp host=SERVER (src_ip="" OR user="" OR (file="" AND file_action="")) *
| transaction connection_id
| mvexpand file
| mvexpand file_action
| rex field=file_action mode=sed "s/stored/Uploaded/g"
| rex field=file_action mode=sed "s/sent/Downloaded/g"
| rex field=file_action mode=sed "s/deleted/Deleted/g"
| search file_action=Uploaded
| table _time, file, file_action
| dedup file
sourcetype=cerberus-ftp host=SERVER (src_ip="" OR user="" OR (file="" AND file_action="")) *PRD
| transaction connection_id
| mvexpand file
| mvexpand file_action
| rex field=file_action mode=sed "s/stored/Uploaded/g"
| rex field=file_action mode=sed "s/sent/Downloaded/g"
| rex field=file_action mode=sed "s/deleted/Deleted/g"
| table _time, connection_id, user, src_ip, file, file_action
Note: Servers are identical on both queries.
What's confusing is the only difference there is, is in the search terms with #1 wildcarding all, and #3 only wildcarding PRD. Plus the piped search line in #1 which shouldn't affect this right? If you think it does, I could remove this search line and add it into the search terms instead of wildcarding all file_actions initially (I didn't write this query and the person who did has left, so I can't refer back to him on what has changed).