Dashboards & Visualizations

Using a single token to search multiple fields from a csv file

learningsplunk
Path Finder

I have a dashboard that's similar to this, however i'm running into a problem...

Is it possible to use a single token (Text token) to search multiple fields at once ?

 

For example from the csv file

 

StocktickerStockDescriptionStock PriceCompanyName
JMSFood1JM Smucker Co
COFood 2Carpy Oscar
CSSConsumer goods2.40Consumer Staples Select Sector SPDR ETF (XLP)
FINCGoods5.12Food. Inc

 

user puts in : "Co"  in the token field  and their return fields are : 

JMSFood1JM Smucker Co
COFood 2Carpy Oscar
CSSConsumer goods2.40Consumer Staples Select Sector SPDR ETF (XLP)
    

 

Is there a way to search Multiple fields with one single token and match that  token's value to those multiple fields  to return their respective rows ?

<form>
<label>Stocks dashboard</label>
<description>Stocks dashboard</description>
<fieldset submitButton="true" autoRun="false">
<input type="text" token="Stocks">
<label>Put Stock ID here</label>
<initialValue>*StockTicker*</initialValue>
</input>
</fieldset>
<row>
<panel>
<title>Stocks</title>
<table>
<title>Stocks</title>
<search>
<query>| inputlookup Stocks.csv|table Stockticker,StockDescription,"Stock Price",CompanyName|Search Stockticker=$Stocks$ |Search StockDescription=$Stocks$|Search CompanyName=$Stocks$ </query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<refresh>10m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="count">100</option>
<option name="drilldown">cell</option>
<option name="refresh.display">preview</option>
<option name="rowNumbers">true</option>
</table>
</panel>
</row>
</form>

 

 The query :  | inputlookup Stocks.csv|table Stockticker,StockDescription,"Stock Price",CompanyName|Search Stockticker=$Stocks$ |Search StockDescription=$Stocks$|Search CompanyName=$Stocks$  

 

Issue is that the token only searches for the first field that is given  which is  : Stockticker=$Stocks$ .... so if a user puts Co into the input.....they only get this for the return : 

StocktickerStockDescriptionStock PriceCompanyName
COFood 2Carpy Oscar

 

What the user should be getting when using the dashboard to search: 

JMSFood1JM Smucker Co
COFood 2Carpy Oscar
CSSConsumer goods2.40Consumer Staples Select Sector SPDR ETF (XLP)
    

 

Is there a way to do that through a csv file for a splunk query? 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

When one search command pipes to another, the second search only sees those events that matched the first search.  To search multiple fields, use OR within a single search.

 

| inputlookup Stocks.csv|table Stockticker,StockDescription,"Stock Price",CompanyName
| search Stockticker=$Stocks$ OR StockDescription=$Stocks$ OR CompanyName=$Stocks$  

 

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

When one search command pipes to another, the second search only sees those events that matched the first search.  To search multiple fields, use OR within a single search.

 

| inputlookup Stocks.csv|table Stockticker,StockDescription,"Stock Price",CompanyName
| search Stockticker=$Stocks$ OR StockDescription=$Stocks$ OR CompanyName=$Stocks$  

 

 

---
If this reply helps you, Karma would be appreciated.

learningsplunk
Path Finder

Perfect ! This works without any issues.

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...