I have a dashboard that's similar to this, however i'm running into a problem...
Is it possible to use a single token (Text token) to search multiple fields at once ?
For example from the csv file
Stockticker | StockDescription | Stock Price | CompanyName |
JMS | Food | 1 | JM Smucker Co |
CO | Food | 2 | Carpy Oscar |
CSS | Consumer goods | 2.40 | Consumer Staples Select Sector SPDR ETF (XLP) |
FINC | Goods | 5.12 | Food. Inc |
user puts in : "Co" in the token field and their return fields are :
JMS | Food | 1 | JM Smucker Co |
CO | Food | 2 | Carpy Oscar |
CSS | Consumer goods | 2.40 | Consumer Staples Select Sector SPDR ETF (XLP) |
Is there a way to search Multiple fields with one single token and match that token's value to those multiple fields to return their respective rows ?
<form>
<label>Stocks dashboard</label>
<description>Stocks dashboard</description>
<fieldset submitButton="true" autoRun="false">
<input type="text" token="Stocks">
<label>Put Stock ID here</label>
<initialValue>*StockTicker*</initialValue>
</input>
</fieldset>
<row>
<panel>
<title>Stocks</title>
<table>
<title>Stocks</title>
<search>
<query>| inputlookup Stocks.csv|table Stockticker,StockDescription,"Stock Price",CompanyName|Search Stockticker=$Stocks$ |Search StockDescription=$Stocks$|Search CompanyName=$Stocks$ </query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<refresh>10m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="count">100</option>
<option name="drilldown">cell</option>
<option name="refresh.display">preview</option>
<option name="rowNumbers">true</option>
</table>
</panel>
</row>
</form>
The query : | inputlookup Stocks.csv|table Stockticker,StockDescription,"Stock Price",CompanyName|Search Stockticker=$Stocks$ |Search StockDescription=$Stocks$|Search CompanyName=$Stocks$
Issue is that the token only searches for the first field that is given which is : Stockticker=$Stocks$ .... so if a user puts Co into the input.....they only get this for the return :
Stockticker | StockDescription | Stock Price | CompanyName |
CO | Food | 2 | Carpy Oscar |
What the user should be getting when using the dashboard to search:
JMS | Food | 1 | JM Smucker Co |
CO | Food | 2 | Carpy Oscar |
CSS | Consumer goods | 2.40 | Consumer Staples Select Sector SPDR ETF (XLP) |
Is there a way to do that through a csv file for a splunk query?
When one search command pipes to another, the second search only sees those events that matched the first search. To search multiple fields, use OR within a single search.
| inputlookup Stocks.csv|table Stockticker,StockDescription,"Stock Price",CompanyName
| search Stockticker=$Stocks$ OR StockDescription=$Stocks$ OR CompanyName=$Stocks$
When one search command pipes to another, the second search only sees those events that matched the first search. To search multiple fields, use OR within a single search.
| inputlookup Stocks.csv|table Stockticker,StockDescription,"Stock Price",CompanyName
| search Stockticker=$Stocks$ OR StockDescription=$Stocks$ OR CompanyName=$Stocks$