Dashboards & Visualizations

Search for specific fields but also list results that do not contain those fields in a dashboard.

Communicator

I am building out a dashboard that can do lookups on Windows DHCP logs. There are a few fields I would like to filter against but not all fields are always in all results. For instance, I have 5 inputs I allow the user to filter the results with (Time, IP, MAC, Hostname, Description). I then give those inputs field names and input them into the panel's query:

index=dhcp dest_ip=$ip_field$ dest_mac=$mac_field$ dest_nt_host=$host_field$ description=$discription_field$

But some results may not contain a MAC address field or may not have a hostname field.

As long a the relevant input has a default wildcard in it I still would want to get back results that do not contain that field. If the user enters something specific into the input, only then I would want it to return results that only had that field in it.

Tags (3)
0 Karma
1 Solution

Communicator

Thank you for the detailed response Giuseppe. Sorry I didn't do a great job in describing the issue I am having. I am not using drop-down input for this I am using text inputs.

The main issue I was running into was some of the results from my query would sometimes not contain data in all the fields that I have dashboard inputs for. That is expected but since each input has a default of "*" it automatically then sets the query to force all results to contain something in each filed or the result would be filtered out.

What I did to get around this was to add:

fillnull value=NULL

I put this in before I searched for any fields that may come back empty:

index=dhcp dest_ip=$ip_field$ | 
fillnull value=NULL |
search dest_mac=$mac_field$ dest_nt_host=$host_field$ description=$description_field$ |

That way all fields did technically have something in them and were not left out if there was no original data in them.

View solution in original post

0 Karma

Communicator

Thank you for the detailed response Giuseppe. Sorry I didn't do a great job in describing the issue I am having. I am not using drop-down input for this I am using text inputs.

The main issue I was running into was some of the results from my query would sometimes not contain data in all the fields that I have dashboard inputs for. That is expected but since each input has a default of "*" it automatically then sets the query to force all results to contain something in each filed or the result would be filtered out.

What I did to get around this was to add:

fillnull value=NULL

I put this in before I searched for any fields that may come back empty:

index=dhcp dest_ip=$ip_field$ | 
fillnull value=NULL |
search dest_mac=$mac_field$ dest_nt_host=$host_field$ description=$description_field$ |

That way all fields did technically have something in them and were not left out if there was no original data in them.

View solution in original post

0 Karma

Legend

Hi snix,
it isn't so elegant but you could change the default value in your dropdown list, you could insert:

<input type="text" token="ip_field">
  <label>Dest IP Address</label>
  <default>*" OR NOT dest_ip="*</default>
  <prefix>(dest_ip="</prefix>
  <suffix>")</suffix>
</input>
<input type="text" token="mac_field">
  <label>MAC Address</label>
  <default>*" OR NOT dest_mac="*</default>
  <prefix>(dest_mac="</prefix>
  <suffix>")</suffix>
</input>    <input type="text" token="mac_field">
  <label>Dest host</label>
  <default>*" OR NOT dest_nt_host="*</default>
  <prefix>(dest_nt_host="</prefix>
  <suffix>")</suffix>
</input>    <input type="text" token="description_field">
  <label>description</label>
  <default>*" OR NOT description="*</default>
  <prefix>(description="</prefix>
  <suffix>")</suffix>
</input>

and in you search put

index=dhcp $ip_field$ $mac_field$ $host_field$ $discription_field$

Bye.
Giuseppe

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!