Solved: How to filter results based on user value or lack ...

AKG1_old1 · ‎08-29-2017

I am looking to filter results based on the users. The problem is some of the data doesn't have user value.

Currently, I am using below condition

User = $user_token$ OR NOT User = *

Condition 1: To extract all the results ($user_token$ = *) - Working fine

 User = * OR NOT User = *   ("OR NOT User = *"  is for getting data which is not having user value)

Condition 2: To extract results with specific user ($user_token$ = XYZ)

User = XYZ OR NOT User = *

In condition 2 along with XYZ user it extract the data which doen't have user value. I am not sure how to modify condition so both condition work together.

My Search Query:

| tstats summariesonly=true max(All_TPS_Logs.duration) AS All_TPS_Logs.duration values(All_TPS_Logs.user) AS user FROM datamodel=MLC_TPS_DEBUG4 WHERE (nodename=All_TPS_Logs host=LCH_UPGR36-T32_LRBCrash-2017-08-08_09_44_32-archive (All_TPS_Logs.user=MUREXBO OR NOT All_TPS_Logs.user=*)) All_TPS_Logs.name =*** GROUPBY _time, All_TPS_Logs.fullyQualifiedMethod span=1s

Note: I drive user values from drop down menu.

gcusello · ‎08-29-2017

Hi agoyal,
insert in your input something like this (it's a text box)

<input type="text" token="my_token">
      <label>My Token</label>
      <default>*" OR NOT my_field="*</default>
      <prefix>(my_field="</prefix>
      <suffix>")</suffix>
</input>

In this way the default value is "*" and "NOT *", if instead you insert a value it takes only the value.
Bye.
Giuseppe

View solution in original post

gcusello · ‎08-29-2017

Hi agoyal,
insert in your input something like this (it's a text box)

<input type="text" token="my_token">
      <label>My Token</label>
      <default>*" OR NOT my_field="*</default>
      <prefix>(my_field="</prefix>
      <suffix>")</suffix>
</input>

In this way the default value is "*" and "NOT *", if instead you insert a value it takes only the value.
Bye.
Giuseppe

AKG1_old1 · ‎08-29-2017

Thank you @ cusello. Here is final query and input token.

| tstats summariesonly=$summariesonly_token$ $split_by_token2$(All_TPS_Logs.duration) AS All_TPS_Logs.duration values(All_TPS_Logs.user) AS user FROM datamodel=MLC_TPS_DEBUG4 WHERE (nodename=All_TPS_Logs host=$host_token$ (All_TPS_Logs.user=$tps_user_token$)) All_TPS_Logs.name =*$TPS_Class_token$* GROUPBY _time, All_TPS_Logs.$fullyQualifiedMethod_or_class$ span=1s

  <input type="dropdown" token="tps_user_token" searchWhenChanged="true">
<label>User:</label>
<search>
  <query>| tstats summariesonly=true values(All_TPS_Logs.user) AS user FROM datamodel=MLC_TPS_DEBUG4 WHERE (nodename=All_TPS_Logs host=$host_token$) All_TPS_Logs.name =*** GROUPBY All_TPS_Logs.user | table user</query>
  <earliest>$tps_selection.earliest$</earliest>
  <latest>$tps_selection.latest$</latest>
</search>
<fieldForLabel>user</fieldForLabel>
<fieldForValue>user</fieldForValue>
<choice value="* OR NOT All_TPS_Logs.user=*">All</choice>
<default>All</default>

How to filter results based on user value or lack of user value?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation