Dashboards & Visualizations

Search for specific fields but also list results that do not contain those fields in a dashboard.

snix
Communicator

I am building out a dashboard that can do lookups on Windows DHCP logs. There are a few fields I would like to filter against but not all fields are always in all results. For instance, I have 5 inputs I allow the user to filter the results with (Time, IP, MAC, Hostname, Description). I then give those inputs field names and input them into the panel's query:

index=dhcp dest_ip=$ip_field$ dest_mac=$mac_field$ dest_nt_host=$host_field$ description=$discription_field$

But some results may not contain a MAC address field or may not have a hostname field.

As long a the relevant input has a default wildcard in it I still would want to get back results that do not contain that field. If the user enters something specific into the input, only then I would want it to return results that only had that field in it.

Tags (3)
0 Karma
1 Solution

snix
Communicator

Thank you for the detailed response Giuseppe. Sorry I didn't do a great job in describing the issue I am having. I am not using drop-down input for this I am using text inputs.

The main issue I was running into was some of the results from my query would sometimes not contain data in all the fields that I have dashboard inputs for. That is expected but since each input has a default of "*" it automatically then sets the query to force all results to contain something in each filed or the result would be filtered out.

What I did to get around this was to add:

fillnull value=NULL

I put this in before I searched for any fields that may come back empty:

index=dhcp dest_ip=$ip_field$ | 
fillnull value=NULL |
search dest_mac=$mac_field$ dest_nt_host=$host_field$ description=$description_field$ |

That way all fields did technically have something in them and were not left out if there was no original data in them.

View solution in original post

0 Karma

snix
Communicator

Thank you for the detailed response Giuseppe. Sorry I didn't do a great job in describing the issue I am having. I am not using drop-down input for this I am using text inputs.

The main issue I was running into was some of the results from my query would sometimes not contain data in all the fields that I have dashboard inputs for. That is expected but since each input has a default of "*" it automatically then sets the query to force all results to contain something in each filed or the result would be filtered out.

What I did to get around this was to add:

fillnull value=NULL

I put this in before I searched for any fields that may come back empty:

index=dhcp dest_ip=$ip_field$ | 
fillnull value=NULL |
search dest_mac=$mac_field$ dest_nt_host=$host_field$ description=$description_field$ |

That way all fields did technically have something in them and were not left out if there was no original data in them.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi snix,
it isn't so elegant but you could change the default value in your dropdown list, you could insert:

<input type="text" token="ip_field">
  <label>Dest IP Address</label>
  <default>*" OR NOT dest_ip="*</default>
  <prefix>(dest_ip="</prefix>
  <suffix>")</suffix>
</input>
<input type="text" token="mac_field">
  <label>MAC Address</label>
  <default>*" OR NOT dest_mac="*</default>
  <prefix>(dest_mac="</prefix>
  <suffix>")</suffix>
</input>    <input type="text" token="mac_field">
  <label>Dest host</label>
  <default>*" OR NOT dest_nt_host="*</default>
  <prefix>(dest_nt_host="</prefix>
  <suffix>")</suffix>
</input>    <input type="text" token="description_field">
  <label>description</label>
  <default>*" OR NOT description="*</default>
  <prefix>(description="</prefix>
  <suffix>")</suffix>
</input>

and in you search put

index=dhcp $ip_field$ $mac_field$ $host_field$ $discription_field$

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...