Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Working with two filters for one event row

vtsguerrero
Contributor
‎07-25-2014 06:30 AM

I have one drop down and one text input, I need the user to be able to by both components OR INDIVIDUAL, one optional and they are both used for just one event row...

index=main source type=main_error ChannelCode=$channel$ OR ProcessCode=$process$

Can anyone explain this search string to me ?
Thanks in advance!

0 Karma
Reply

somesoni2
Revered Legend
‎07-28-2014 05:56 AM

You can use the value as "*" for the dropdown/text box so that if User doesn't selects a filter, its default value * will be supplied.

E.g. dashboard

Updated

 <form>
  <label>DynamicChartTitle</label>
  <description>NULL</description>
  <fieldset autoRun="true">
    <input type="dropdown" token="sourcetype" searchWhenChanged="false">
      <label>Sourcetype</label>
      <choice value="*">All</choice>
      <default>*</default>
      <populatingSearch fieldForValue="sourcetype" fieldForLabel="sourcetype">
        <![CDATA[index=_internal earliest=-1h@h | stats count by sourcetype | table sourcetype ]]>
      </populatingSearch>
    </input>
    <input type="text" token="source" searchWhenChanged="true">
      <label>Source</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <table>
      <title>The chart tile</title>
      <searchString>index=_internal [|gentimes start=-1 
        | eval search=if("$sourcetype$"="*","","sourcetype=\"$sourcetype$\"")
        | eval search=case("$source$"="*",search, search !="",search." OR source=\"$source$\"",1=1,"source=\"$source$\"") | table search]
        | stats count by sourcetype, source</searchString>
      <earliestTime>-1h</earliestTime>
      <latestTime>now</latestTime>            
    </table>
  </row>
</form>
Reply

somesoni2
Revered Legend
‎07-28-2014 07:28 AM

I had overlooked the OR condition between two filters. I have added some logic to handle that situation. Try the updated answer.

0 Karma
Reply

tom_frotscher
Builder
‎07-28-2014 06:38 AM

This is a good approach in general for the mentioned problem. But can't there be some side effects in this special case? Because the fields are combined with the OR operator.

0 Karma
Reply

vtsguerrero
Contributor
‎07-26-2014 04:22 PM

When searching using a searchString, it's only searching if user choose a dropdown value and also type something in the text input, and I wanted to be able to search individually independent.

0 Karma
Reply

strive
Influencer
‎07-25-2014 12:29 PM

Do you mean "both the fields to be mandatory". In you search with that OR condition, even if user gives any one input the search will execute.

0 Karma
Reply

vtsguerrero
Contributor
‎07-25-2014 11:38 AM

Sorry when I said filter, I meant two inputs...

0 Karma
Reply

vtsguerrero
Contributor
‎07-25-2014 09:37 AM

It's only searching both mandatory :X

0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...