Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search for specific values that have similar value

yohhpark
Path Finder
‎10-03-2023 08:06 AM

For example,

system_id = AA-1, AA-1-a, AA-1-b,  AA-10, AA-10-a, AA-10-b, AA-12, AA-12-a, AA-12-b,,, and so on.

 

Notice all the system_id starts with common 'AA-1' and * afterward. However, when use it as a token, as you've already feel the problem, AA-10* would return ALL the following id's start with AA-10* and nothing else, so good. however, if I choose AA-1*, not only it returns the values that start with AA-1 but also AA-10 and AA-12, which I do not want. Trying to make this a dashboard, dropdown with token, where user pikc AA-1, and it only returns ALL the values that only ahs AA-1, aa-1-a, aa-1-b and so on.

 

hope this question makes sense. has anyone fix such issue before?

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-06-2023 10:23 AM

Just find all events with system_id=aa-1* initially (to limit the number of events you're working with) and then use then regex command to limit the values only to aa-1(-.*)?

0 Karma
Reply

_JP
Contributor
‎10-06-2023 10:17 AM

I was able to get things to work with makeresults and a mocked up Dashboard.  How does this work for you on your end:

 

 

<form version="1.1" theme="dark">
  <label>Test Dashboard</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="system_id" searchWhenChanged="true">
      <label>system_id</label>
      <choice value="*">*</choice>
      <choice value="AA-1">AA-1</choice>
      <choice value="AA-2">AA-2</choice>
      <choice value="AA-10">AA-10</choice>
      <initialValue>*</initialValue>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults format="json" data="[{\"system_id\":\"AA-1\"}, {\"system_id\":\"AA-2\"}, {\"system_id\":\"AA-10\"}, {\"system_id\":\"AA-15\"}, {\"system_id\":\"AA-1\"}, {\"system_id\":\"AA-123\"}, {\"system_id\":\"aa-1-a\"}]" , {\"system_id\":\"aa-1-b\"} | search system_id="$system_id$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

 

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...