Dashboards & Visualizations

Is there a way to filter text from a specific field in a table and only display the filtered text in my dashboard?

steeldol
Explorer

Is there a way to filter text from a specific field in a table and only display the filtered text in my dashboard?

For example, I have a panel in my dashboard that contains 5 columns displaying incident ticket information: Ticket#, AssigneeName, Product, OpenTime, Description and UpdateAction. This panel is extracting this data from our ticketing system db. The Update Action field is one that is updated by many different people, including folks not in my support group. I would like to only display entries under the UpdateAction column that were inputted by my team members. The field is currently displaying all entries. For example the column is displaying the following:

05/05/16 16:12:58 (John): Hello1  13:40:15 (Jill): Hello2 10:46:46 (Bob): Hello3 04/18/16 16:45:02 (Tom): Hello4

Is there a way I can edit this field to only display Bob and Jill's entry and not John and Tom's?

0 Karma

DalJeanis
Legend

Yes. basically, you would join the results to a lookup table.

Assuming your employee field in the transactions was AssigneeName, and let's say you have available a lookup table called myemployees.csv that has EmployeeName and EmployeeDept for your employees and also for a bunch of other departments, and a bunch of other fields that you don't need at all.

The search would look something like this.

[your base search] 
| join AssigneeName  [inputlookup myemployees.csv | where EmployeeDept = "MyDepartment"  | table EmployeeName | rename EmployeeName as AssigneeName]

What you are doing above is stripping the lookup table down to only what you want, naming it the same thing that is on your main file, and putting that single-item table into the join command. Since it is an inner join by default, anything on the main search that isn't on your lookup results will be dropped.

0 Karma

steeldol
Explorer

Thanks everyone for your input. DalJeanis, actually, all comments will have a date and time entry. I apologize for not making that clear. How does that impact this query? thanks again

0 Karma

steeldol
Explorer

Thanks for replies. DalJeanis, actually, every comment does contain a date and time entry. I apologize for not making that clear. In this case, how does that impact this query?

0 Karma

DalJeanis
Legend

Hmmm - looks like you are going to need a rex & regex to strip the different comments out of the comment field. it's made a little more complicated by the fact that some comments have date and time, others just have time.

The following test rex isn't working yet, but it's getting there.

| makeresults 
| eval comment="05/05/16 16:12:58 (John): Hello1  13:40:15 (Jill): Hello2 10:46:46 (Bob): Hello3 04/18/16 16:45:02 (Tom): Hello4"
| rex field=comment max_match=0 "(?<TheDateAndOrTime>(\d{1,2}/\d{1,2}/\d{2,4})?\s*?\d\d:\d\d:\d\d)|\s*?|\s*?\((?<MyName>[^)]*)\):(?<MyComment>.*?)"

Within the comment, match either (1) a time with optional date in front of it or (2) a name surrounded by parenthesis, followed by a colon and some stuff. The trick is identifying the end of the comment at the first start of the next date or time, using some sort of zero-length lookahead. Working on it.

0 Karma

lguinn2
Legend

It would be most helpful to see the search that generated this panel of the dashboard, and a sample of the data that was searched.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...