Solved: Search in Table

ivoZgu · ‎09-04-2024

(index=hcp_system OR index=hcp_logging) namespace=$env_dd$
| rex "#HLS#\s*IID:\s*(?P<IID>[^,]+),\s*STEP:\s*(?P<STEP>[^,]+),\s*PKEY:\s*(?P<PKEY>[^,]+),\s*STATE:\s*(?P<STATE>[^,]+),\s*MSG0:\s*(?P<MSG0>[^,]+),\s*PROPS:\s*(?P<PROPS>[^#]+)\s*#HLE#"
| eval
IID=if("$interface_dd$"!="", "$interface_dd$", IID),
STEP=if("$step_dd$"!="", "$step_dd$", STEP),
PKEY=if(isnull("$record_id$") OR "$record_id$"="", PKEY, "*" . "$record_id$" . "*"),
STATE=if("$state_dd$"!="", "$state_dd$", STATE),
MSG0=if(isnull("$message_1$") OR "$message_1$"="", MSG0, "*" . "$message_1$" . "*"),
PROPS=if(isnull("$properties$") OR "$properties$"="", PROPS, "*" . "$properties$" . "*")
| search (IID=* OR isnull(IID)) (STEP=* OR isnull(STEP)) (PKEY=* OR isnull(PKEY)) (STATE=* OR isnull(STATE)) (MSG0=* OR isnull(MSG0)) (PROPS=* OR isnull(PROPS))
| table IID STEP PKEY STATE MSG0 PROPS

How to make it show in the table values which are selected in DD and if the search field is "text field" (PKEY MSG0 and PROPS in my case) empty to show what the rex PKEY:\s*(?P<PKEY>[^,]+) will extract.
As current behavior is following:

DD DropDown
TF Text Field

Input :
-DD IID:SF
-DD STEP:RECEIVE_FROM_KAFKA
-DD STATE:IN_PROGRESS

-TF PKEY MSG0 and PROPS are empty

Msg1:"#HLS# IID:SF, STEP:RECEIVE_FROM_KAFKA, PKEY:456, STATE:IN_PROGRESS, MSG0:Success, PROPS:YES #HLE#"
Msg2: "#HLS# IID:SAP, STEP:SEND_TO_KAFKA, PKEY:52345345, STATE:IN_PROGRESS, MSG0:MOO, PROPS:FOO #HLE#"

Extracted Table:
STEP | PKEY | STATE | MSG0 | PROPS
RECEIVE_FROM_KAFKA | 52345345 | IN_PROGRESS | MOO | YES

Resume: the result is mixed in column lines from different messages in the input of the text fields is empty,

How can I make it to extract all messages with the following log pattern and then filter them based on the DD or text fields?

ivoZgu · ‎09-13-2024

env=$env_dd$ "#HLS#" "#HLE#" "$interface_dd$" "$step_dd$" "$record_id$" "$state_dd$" "$message_1$" "$exception_id$" "$properties$"
| rex "#HLS#\s*IID:\s*(?P<IID>[^,]+),\s*STEP:\s*(?P<STEP>[^,]+),\s*PKEY:\s*(?P<PKEY>.*?),\s*STATE:\s*(?P<STATE>[^,]+),\s*MSG0:\s*(?P<MSG0>.*?),\s*PROPS:\s*(?P<PROPS>[^#]+)\s*#HLE#"
| search IID="*$interface_dd$*" STEP="*$step_dd$*" PKEY="*$record_id$*" STATE="*$state_dd$*" MSG0="*$message_1$*" PROPS="*$properties$*"
| fields IID STEP PKEY STATE MSG0 PROPS _time
| table IID STEP PKEY STATE MSG0 PROPS _time
| rename IID as "Interface ID", STEP as "Step", PKEY as "Primary Key", STATE as "State", MSG0 as "Message", EXCID as "Exception Code", PROPS as "Properties"

View solution in original post

ivoZgu · ‎09-13-2024

env=$env_dd$ "#HLS#" "#HLE#" "$interface_dd$" "$step_dd$" "$record_id$" "$state_dd$" "$message_1$" "$exception_id$" "$properties$"
| rex "#HLS#\s*IID:\s*(?P<IID>[^,]+),\s*STEP:\s*(?P<STEP>[^,]+),\s*PKEY:\s*(?P<PKEY>.*?),\s*STATE:\s*(?P<STATE>[^,]+),\s*MSG0:\s*(?P<MSG0>.*?),\s*PROPS:\s*(?P<PROPS>[^#]+)\s*#HLE#"
| search IID="*$interface_dd$*" STEP="*$step_dd$*" PKEY="*$record_id$*" STATE="*$state_dd$*" MSG0="*$message_1$*" PROPS="*$properties$*"
| fields IID STEP PKEY STATE MSG0 PROPS _time
| table IID STEP PKEY STATE MSG0 PROPS _time
| rename IID as "Interface ID", STEP as "Step", PKEY as "Primary Key", STATE as "State", MSG0 as "Message", EXCID as "Exception Code", PROPS as "Properties"

Search in Table

Dashboard Studio

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation