Solved: Re: Search for specific fields but also list resul...

snix · ‎03-10-2018

I am building out a dashboard that can do lookups on Windows DHCP logs. There are a few fields I would like to filter against but not all fields are always in all results. For instance, I have 5 inputs I allow the user to filter the results with (Time, IP, MAC, Hostname, Description). I then give those inputs field names and input them into the panel's query:

index=dhcp dest_ip=$ip_field$ dest_mac=$mac_field$ dest_nt_host=$host_field$ description=$discription_field$

But some results may not contain a MAC address field or may not have a hostname field.

As long a the relevant input has a default wildcard in it I still would want to get back results that do not contain that field. If the user enters something specific into the input, only then I would want it to return results that only had that field in it.

snix · ‎03-11-2018

Thank you for the detailed response Giuseppe. Sorry I didn't do a great job in describing the issue I am having. I am not using drop-down input for this I am using text inputs.

The main issue I was running into was some of the results from my query would sometimes not contain data in all the fields that I have dashboard inputs for. That is expected but since each input has a default of "*" it automatically then sets the query to force all results to contain something in each filed or the result would be filtered out.

What I did to get around this was to add:

fillnull value=NULL

I put this in before I searched for any fields that may come back empty:

index=dhcp dest_ip=$ip_field$ | 
fillnull value=NULL |
search dest_mac=$mac_field$ dest_nt_host=$host_field$ description=$description_field$ |

That way all fields did technically have something in them and were not left out if there was no original data in them.

View solution in original post

snix · ‎03-11-2018

Thank you for the detailed response Giuseppe. Sorry I didn't do a great job in describing the issue I am having. I am not using drop-down input for this I am using text inputs.

The main issue I was running into was some of the results from my query would sometimes not contain data in all the fields that I have dashboard inputs for. That is expected but since each input has a default of "*" it automatically then sets the query to force all results to contain something in each filed or the result would be filtered out.

What I did to get around this was to add:

fillnull value=NULL

I put this in before I searched for any fields that may come back empty:

index=dhcp dest_ip=$ip_field$ | 
fillnull value=NULL |
search dest_mac=$mac_field$ dest_nt_host=$host_field$ description=$description_field$ |

That way all fields did technically have something in them and were not left out if there was no original data in them.

gcusello · ‎03-10-2018

Hi snix,
it isn't so elegant but you could change the default value in your dropdown list, you could insert:

<input type="text" token="ip_field">
  <label>Dest IP Address</label>
  <default>*" OR NOT dest_ip="*</default>
  <prefix>(dest_ip="</prefix>
  <suffix>")</suffix>
</input>
<input type="text" token="mac_field">
  <label>MAC Address</label>
  <default>*" OR NOT dest_mac="*</default>
  <prefix>(dest_mac="</prefix>
  <suffix>")</suffix>
</input>    <input type="text" token="mac_field">
  <label>Dest host</label>
  <default>*" OR NOT dest_nt_host="*</default>
  <prefix>(dest_nt_host="</prefix>
  <suffix>")</suffix>
</input>    <input type="text" token="description_field">
  <label>description</label>
  <default>*" OR NOT description="*</default>
  <prefix>(description="</prefix>
  <suffix>")</suffix>
</input>

and in you search put

index=dhcp $ip_field$ $mac_field$ $host_field$ $discription_field$

Bye.
Giuseppe

Search for specific fields but also list results that do not contain those fields in a dashboard.

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...