Re: Is there a way to filter text from a specific ...

steeldol · ‎01-26-2017

Is there a way to filter text from a specific field in a table and only display the filtered text in my dashboard?

For example, I have a panel in my dashboard that contains 5 columns displaying incident ticket information: Ticket#, AssigneeName, Product, OpenTime, Description and UpdateAction. This panel is extracting this data from our ticketing system db. The Update Action field is one that is updated by many different people, including folks not in my support group. I would like to only display entries under the UpdateAction column that were inputted by my team members. The field is currently displaying all entries. For example the column is displaying the following:

05/05/16 16:12:58 (John): Hello1  13:40:15 (Jill): Hello2 10:46:46 (Bob): Hello3 04/18/16 16:45:02 (Tom): Hello4

Is there a way I can edit this field to only display Bob and Jill's entry and not John and Tom's?

DalJeanis · ‎01-26-2017

Yes. basically, you would join the results to a lookup table.

Assuming your employee field in the transactions was AssigneeName, and let's say you have available a lookup table called myemployees.csv that has EmployeeName and EmployeeDept for your employees and also for a bunch of other departments, and a bunch of other fields that you don't need at all.

The search would look something like this.

[your base search] 
| join AssigneeName  [inputlookup myemployees.csv | where EmployeeDept = "MyDepartment"  | table EmployeeName | rename EmployeeName as AssigneeName]

What you are doing above is stripping the lookup table down to only what you want, naming it the same thing that is on your main file, and putting that single-item table into the join command. Since it is an inner join by default, anything on the main search that isn't on your lookup results will be dropped.

steeldol · ‎01-27-2017

Thanks everyone for your input. DalJeanis, actually, all comments will have a date and time entry. I apologize for not making that clear. How does that impact this query? thanks again

steeldol · ‎01-27-2017

Thanks for replies. DalJeanis, actually, every comment does contain a date and time entry. I apologize for not making that clear. In this case, how does that impact this query?

DalJeanis · ‎01-26-2017

Hmmm - looks like you are going to need a rex & regex to strip the different comments out of the comment field. it's made a little more complicated by the fact that some comments have date and time, others just have time.

The following test rex isn't working yet, but it's getting there.

| makeresults 
| eval comment="05/05/16 16:12:58 (John): Hello1  13:40:15 (Jill): Hello2 10:46:46 (Bob): Hello3 04/18/16 16:45:02 (Tom): Hello4"
| rex field=comment max_match=0 "(?<TheDateAndOrTime>(\d{1,2}/\d{1,2}/\d{2,4})?\s*?\d\d:\d\d:\d\d)|\s*?|\s*?\((?<MyName>[^)]*)\):(?<MyComment>.*?)"

Within the comment, match either (1) a time with optional date in front of it or (2) a name surrounded by parenthesis, followed by a colon and some stuff. The trick is identifying the end of the comment at the first start of the next date or time, using some sort of zero-length lookahead. Working on it.

lguinn2 · ‎01-26-2017

It would be most helpful to see the search that generated this panel of the dashboard, and a sample of the data that was searched.

Is there a way to filter text from a specific field in a table and only display the filtered text in my dashboard?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes