Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is Dashboard dropdown filter search query and associated event panel query blocking some results?

SCB588
Engager
‎08-27-2023 07:45 PM

I have an event panel with 5 dropdown boxes as shown to be able to filter the base results based of 5 categories

SCB588_0-1693190403055.png

 

  • by app name - there are two Apps BPE and BPO
  • by sts eg 400's or 500's response codes etc
  • by  mtd eg API method POST PATCH GET etc
  • by booking ref
  • by cal eg Calling API

This is the event search I created to return the base results 

app=BP* sts=* | table at,req.bookingReference,app,mtd,cid,sts,dur,rsc,cal,req.offerOptionCode | rename req.bookingReference as bookingReference, req.offerOptionCode as offerOptionCode| search app=* AND mtd=* AND sts=* AND bookingReference=* AND cal=* | sort by at asc

When i remove the "search app=* AND mtd=* AND sts=* AND bookingReference=* AND cal=*" from the query, I then seem to get all the expected results which include POST PATCH and GET items, but with it included, I only get POST method results and not the GET and PATCH items.

i suspect the AND statements are the culprit...I tried OR but then the filters don't work and won't filter the base results.

Appreciate any guidance

Thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎08-27-2023 08:58 PM

You must have field values in all these fields app, sts, bookingReference and cal for the events with field mtd contains PATCH/GET values

View solution in original post

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎08-27-2023 08:38 PM

Try putting * in quotes.

app=BP* sts=* | table at,req.bookingReference,app,mtd,cid,sts,dur,rsc,cal,req.offerOptionCode | rename req.bookingReference as bookingReference, req.offerOptionCode as offerOptionCode| search app="*" mtd="*" sts="*" bookingReference="*" cal="*" | sort by at asc
0 Karma
Reply
Solved! Jump to solution

SCB588
Engager
‎08-27-2023 08:53 PM

Hello and thanks @manjunathmeti but still not working. I enclosed the * in quotes and removed the AND 
 
app=BP* | table at,req.bookingReference,app,mtd,cid,sts,dur,rsc,cal,req.offerOptionCode|rename req.bookingReference as bookingReference, req.offerOptionCode as offerOptionCode | search app="*" mtd="*" sts="*" bookingReference="*" cal="*"| sort by at asc

Results still don't return API method PATCH and GET unless i remove the search statement

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎08-27-2023 08:58 PM

You must have field values in all these fields app, sts, bookingReference and cal for the events with field mtd contains PATCH/GET values

0 Karma
Reply
Solved! Jump to solution

SCB588
Engager
‎08-27-2023 09:16 PM

Oh ok I did not realise that @manjunathmeti 

I was trying to present certain values in a columnised Table,  but some of those values won't be populated for all API methods...which means then I may have to have separate panels in the dashboard for the particular API Method, I guess ☹️

Thanks for your guidance

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month - SLO Capabilities, APM Advanced Filtering & Usage Analytics Plus ...

More for SLO Management We’re continuing to expand the built-in SLO management experience in Splunk ...

Enterprise Security Content Update (ESCU) | New Releases

In June, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...

Index This | What gets bigger the more you remove?

June 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...