Dashboards & Visualizations

How to use multiple text tokens even with no value to one of them.

suchakrajan
New Member

I have two TEXT fields IP address and Username. I want to create dashboard based on either of the field. tried with "if condition", it did not work.

Example:
field1=IP_addr
field2=user

| search src_ip=$field1$ OR usr=$field2$ | table src_ip usr

In above example, if I don't pass value of any one of the fields, I don't get the result.

How to achieve this?

PS: It should be easy, however I am new to splunk/programmimg, hence looking for the help.

Thanks.
RS

Tags (1)
0 Karma
1 Solution

niketnilay
Legend

@suchakrajan, since you have an OR condition to be applied for the text box values, you can code the text boxes <change> event handlers based on the condition i.e.

1) either src_ip or username is provided then either src_ip=$tokIP$ or usr=$tokUserName$,
2) Both are provided then src_ip=$tokIP$ OR usr=$tokUserName$
3) Both are empty then no search filter to be applied

    <input type="text" token="tokIP" searchWhenChanged="true">
      <label>IP Address</label>
      <change>
        <condition match="len($value$)>0">
          <eval token="tokFilter">case(isnull($tokUserName$) OR len($tokUserName$)=0,"src_ip=".$value$,true(),"usr=".$tokUserName$." OR "."src_ip=".$value$)</eval>
        </condition>
        <condition>
          <eval token="tokFilter">case(isnull($tokUserName$) OR len($tokUserName$)=0," ",true(),"usr=".$tokUserName$)</eval>
        </condition>
      </change>
    </input>
    <input type="text" token="tokUserName" searchWhenChanged="true">
      <label>User Name</label>
      <change>
        <condition match="len($value$)>0">
          <eval token="tokFilter">case(isnull($tokIP$) OR len(trim($tokIP$))=0,"usr=".$value$,true(),"src_ip=".$tokIP$." OR "."usr=".$value$)</eval>
        </condition>
        <condition>
          <eval token="tokFilter">case(isnull($tokIP$) OR len(trim($tokIP$))=0," ",true(),"src_ip=".$tokIP$)</eval>
        </condition>
      </change>
    </input>

Try the following run anywhere dashboard which set the token on <change> event based on <condition>and <eval> to set the token for search filter based on above three conditions. PS: <init> section is used to empty the search filter token on loading the dashboard (<init> section is available in version Splunk 6.5 onward).

Use the token $tokFilter$ in your search which should satisfy all the conditions.

<form>
  <label>Multiple Optional Text Boxes for Search Filter</label>
  <init>
    <set token="tokFilter"> </set>
  </init>
  <fieldset submitButton="false">
    <input type="text" token="tokIP" searchWhenChanged="true">
      <label>IP Address</label>
      <change>
        <condition match="len($value$)>0">
          <eval token="tokFilter">case(isnull($tokUserName$) OR len($tokUserName$)=0,"src_ip=".$value$,true(),"usr=".$tokUserName$." OR "."src_ip=".$value$)</eval>
        </condition>
        <condition>
          <eval token="tokFilter">case(isnull($tokUserName$) OR len($tokUserName$)=0," ",true(),"usr=".$tokUserName$)</eval>
        </condition>
      </change>
    </input>
    <input type="text" token="tokUserName" searchWhenChanged="true">
      <label>User Name</label>
      <change>
        <condition match="len($value$)>0">
          <eval token="tokFilter">case(isnull($tokIP$) OR len(trim($tokIP$))=0,"usr=".$value$,true(),"src_ip=".$tokIP$." OR "."usr=".$value$)</eval>
        </condition>
        <condition>
          <eval token="tokFilter">case(isnull($tokIP$) OR len(trim($tokIP$))=0," ",true(),"src_ip=".$tokIP$)</eval>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <div>
          IP=$tokIP$
        </div>
        <div>
          User=$tokUserName$
        </div>
        <div>
          Filter=$tokFilter$
        </div>
        <div>
          Condition=$tokCondition$
        </div>
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketnilay
Legend

@suchakrajan, since you have an OR condition to be applied for the text box values, you can code the text boxes <change> event handlers based on the condition i.e.

1) either src_ip or username is provided then either src_ip=$tokIP$ or usr=$tokUserName$,
2) Both are provided then src_ip=$tokIP$ OR usr=$tokUserName$
3) Both are empty then no search filter to be applied

    <input type="text" token="tokIP" searchWhenChanged="true">
      <label>IP Address</label>
      <change>
        <condition match="len($value$)>0">
          <eval token="tokFilter">case(isnull($tokUserName$) OR len($tokUserName$)=0,"src_ip=".$value$,true(),"usr=".$tokUserName$." OR "."src_ip=".$value$)</eval>
        </condition>
        <condition>
          <eval token="tokFilter">case(isnull($tokUserName$) OR len($tokUserName$)=0," ",true(),"usr=".$tokUserName$)</eval>
        </condition>
      </change>
    </input>
    <input type="text" token="tokUserName" searchWhenChanged="true">
      <label>User Name</label>
      <change>
        <condition match="len($value$)>0">
          <eval token="tokFilter">case(isnull($tokIP$) OR len(trim($tokIP$))=0,"usr=".$value$,true(),"src_ip=".$tokIP$." OR "."usr=".$value$)</eval>
        </condition>
        <condition>
          <eval token="tokFilter">case(isnull($tokIP$) OR len(trim($tokIP$))=0," ",true(),"src_ip=".$tokIP$)</eval>
        </condition>
      </change>
    </input>

Try the following run anywhere dashboard which set the token on <change> event based on <condition>and <eval> to set the token for search filter based on above three conditions. PS: <init> section is used to empty the search filter token on loading the dashboard (<init> section is available in version Splunk 6.5 onward).

Use the token $tokFilter$ in your search which should satisfy all the conditions.

<form>
  <label>Multiple Optional Text Boxes for Search Filter</label>
  <init>
    <set token="tokFilter"> </set>
  </init>
  <fieldset submitButton="false">
    <input type="text" token="tokIP" searchWhenChanged="true">
      <label>IP Address</label>
      <change>
        <condition match="len($value$)>0">
          <eval token="tokFilter">case(isnull($tokUserName$) OR len($tokUserName$)=0,"src_ip=".$value$,true(),"usr=".$tokUserName$." OR "."src_ip=".$value$)</eval>
        </condition>
        <condition>
          <eval token="tokFilter">case(isnull($tokUserName$) OR len($tokUserName$)=0," ",true(),"usr=".$tokUserName$)</eval>
        </condition>
      </change>
    </input>
    <input type="text" token="tokUserName" searchWhenChanged="true">
      <label>User Name</label>
      <change>
        <condition match="len($value$)>0">
          <eval token="tokFilter">case(isnull($tokIP$) OR len(trim($tokIP$))=0,"usr=".$value$,true(),"src_ip=".$tokIP$." OR "."usr=".$value$)</eval>
        </condition>
        <condition>
          <eval token="tokFilter">case(isnull($tokIP$) OR len(trim($tokIP$))=0," ",true(),"src_ip=".$tokIP$)</eval>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <div>
          IP=$tokIP$
        </div>
        <div>
          User=$tokUserName$
        </div>
        <div>
          Filter=$tokFilter$
        </div>
        <div>
          Condition=$tokCondition$
        </div>
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

kranthimutyala
Explorer

I have two TEXT fields Object and modifier. I want to create dashboard based on either of the field. tried with "if condition", it did not work.
Javascript is also fine

Example:
field1=object
field2=modifier

| index=name event=$object$ action=$modifier$ |table content group

-->if both fields are provided no worries
-->if both are not provided then both should be "wildcard(star)"
-->if field1 is specified and field2 is not specified then field2 should be "wildcard(star)"
-->if field2 is specified and field1 is not specified then field1 should be "*"

How to achieve this?

Thanks.
Kranthi M

0 Karma

kunalmao
Communicator

you need to keep default value of each of the fields while declaring them, keep default value as null and then run the same query it will work.

0 Karma

valiquet
Contributor

You could try putting double quotes for IP_addr and user. Otherwise Splunk will thinks it is not a string but a variable.

Just to be clear you want to take variable from the UI and use it in the search string?

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.