Solved: Search in Table

ivoZgu · ‎09-04-2024

(index=hcp_system OR index=hcp_logging) namespace=$env_dd$
| rex "#HLS#\s*IID:\s*(?P<IID>[^,]+),\s*STEP:\s*(?P<STEP>[^,]+),\s*PKEY:\s*(?P<PKEY>[^,]+),\s*STATE:\s*(?P<STATE>[^,]+),\s*MSG0:\s*(?P<MSG0>[^,]+),\s*PROPS:\s*(?P<PROPS>[^#]+)\s*#HLE#"
| eval
IID=if("$interface_dd$"!="", "$interface_dd$", IID),
STEP=if("$step_dd$"!="", "$step_dd$", STEP),
PKEY=if(isnull("$record_id$") OR "$record_id$"="", PKEY, "*" . "$record_id$" . "*"),
STATE=if("$state_dd$"!="", "$state_dd$", STATE),
MSG0=if(isnull("$message_1$") OR "$message_1$"="", MSG0, "*" . "$message_1$" . "*"),
PROPS=if(isnull("$properties$") OR "$properties$"="", PROPS, "*" . "$properties$" . "*")
| search (IID=* OR isnull(IID)) (STEP=* OR isnull(STEP)) (PKEY=* OR isnull(PKEY)) (STATE=* OR isnull(STATE)) (MSG0=* OR isnull(MSG0)) (PROPS=* OR isnull(PROPS))
| table IID STEP PKEY STATE MSG0 PROPS

How to make it show in the table values which are selected in DD and if the search field is "text field" (PKEY MSG0 and PROPS in my case) empty to show what the rex PKEY:\s*(?P<PKEY>[^,]+) will extract.
As current behavior is following:

DD DropDown
TF Text Field

Input :
-DD IID:SF
-DD STEP:RECEIVE_FROM_KAFKA
-DD STATE:IN_PROGRESS

-TF PKEY MSG0 and PROPS are empty

Msg1:"#HLS# IID:SF, STEP:RECEIVE_FROM_KAFKA, PKEY:456, STATE:IN_PROGRESS, MSG0:Success, PROPS:YES #HLE#"
Msg2: "#HLS# IID:SAP, STEP:SEND_TO_KAFKA, PKEY:52345345, STATE:IN_PROGRESS, MSG0:MOO, PROPS:FOO #HLE#"

Extracted Table:
STEP | PKEY | STATE | MSG0 | PROPS
RECEIVE_FROM_KAFKA | 52345345 | IN_PROGRESS | MOO | YES

Resume: the result is mixed in column lines from different messages in the input of the text fields is empty,

How can I make it to extract all messages with the following log pattern and then filter them based on the DD or text fields?

ivoZgu · ‎09-13-2024

env=$env_dd$ "#HLS#" "#HLE#" "$interface_dd$" "$step_dd$" "$record_id$" "$state_dd$" "$message_1$" "$exception_id$" "$properties$"
| rex "#HLS#\s*IID:\s*(?P<IID>[^,]+),\s*STEP:\s*(?P<STEP>[^,]+),\s*PKEY:\s*(?P<PKEY>.*?),\s*STATE:\s*(?P<STATE>[^,]+),\s*MSG0:\s*(?P<MSG0>.*?),\s*PROPS:\s*(?P<PROPS>[^#]+)\s*#HLE#"
| search IID="*$interface_dd$*" STEP="*$step_dd$*" PKEY="*$record_id$*" STATE="*$state_dd$*" MSG0="*$message_1$*" PROPS="*$properties$*"
| fields IID STEP PKEY STATE MSG0 PROPS _time
| table IID STEP PKEY STATE MSG0 PROPS _time
| rename IID as "Interface ID", STEP as "Step", PKEY as "Primary Key", STATE as "State", MSG0 as "Message", EXCID as "Exception Code", PROPS as "Properties"

View solution in original post

ivoZgu · ‎09-13-2024

env=$env_dd$ "#HLS#" "#HLE#" "$interface_dd$" "$step_dd$" "$record_id$" "$state_dd$" "$message_1$" "$exception_id$" "$properties$"
| rex "#HLS#\s*IID:\s*(?P<IID>[^,]+),\s*STEP:\s*(?P<STEP>[^,]+),\s*PKEY:\s*(?P<PKEY>.*?),\s*STATE:\s*(?P<STATE>[^,]+),\s*MSG0:\s*(?P<MSG0>.*?),\s*PROPS:\s*(?P<PROPS>[^#]+)\s*#HLE#"
| search IID="*$interface_dd$*" STEP="*$step_dd$*" PKEY="*$record_id$*" STATE="*$state_dd$*" MSG0="*$message_1$*" PROPS="*$properties$*"
| fields IID STEP PKEY STATE MSG0 PROPS _time
| table IID STEP PKEY STATE MSG0 PROPS _time
| rename IID as "Interface ID", STEP as "Step", PKEY as "Primary Key", STATE as "State", MSG0 as "Message", EXCID as "Exception Code", PROPS as "Properties"

Search in Table

Dashboard Studio

table

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?