Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Working with two filters for one event row

vtsguerrero
Contributor
‎07-25-2014 06:30 AM

I have one drop down and one text input, I need the user to be able to by both components OR INDIVIDUAL, one optional and they are both used for just one event row...

index=main source type=main_error ChannelCode=$channel$ OR ProcessCode=$process$

Can anyone explain this search string to me ?
Thanks in advance!

0 Karma
Reply

somesoni2
Revered Legend
‎07-28-2014 05:56 AM

You can use the value as "*" for the dropdown/text box so that if User doesn't selects a filter, its default value * will be supplied.

E.g. dashboard

Updated

 <form>
  <label>DynamicChartTitle</label>
  <description>NULL</description>
  <fieldset autoRun="true">
    <input type="dropdown" token="sourcetype" searchWhenChanged="false">
      <label>Sourcetype</label>
      <choice value="*">All</choice>
      <default>*</default>
      <populatingSearch fieldForValue="sourcetype" fieldForLabel="sourcetype">
        <![CDATA[index=_internal earliest=-1h@h | stats count by sourcetype | table sourcetype ]]>
      </populatingSearch>
    </input>
    <input type="text" token="source" searchWhenChanged="true">
      <label>Source</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <table>
      <title>The chart tile</title>
      <searchString>index=_internal [|gentimes start=-1 
        | eval search=if("$sourcetype$"="*","","sourcetype=\"$sourcetype$\"")
        | eval search=case("$source$"="*",search, search !="",search." OR source=\"$source$\"",1=1,"source=\"$source$\"") | table search]
        | stats count by sourcetype, source</searchString>
      <earliestTime>-1h</earliestTime>
      <latestTime>now</latestTime>            
    </table>
  </row>
</form>
Reply

somesoni2
Revered Legend
‎07-28-2014 07:28 AM

I had overlooked the OR condition between two filters. I have added some logic to handle that situation. Try the updated answer.

0 Karma
Reply

tom_frotscher
Builder
‎07-28-2014 06:38 AM

This is a good approach in general for the mentioned problem. But can't there be some side effects in this special case? Because the fields are combined with the OR operator.

0 Karma
Reply

vtsguerrero
Contributor
‎07-26-2014 04:22 PM

When searching using a searchString, it's only searching if user choose a dropdown value and also type something in the text input, and I wanted to be able to search individually independent.

0 Karma
Reply

strive
Influencer
‎07-25-2014 12:29 PM

Do you mean "both the fields to be mandatory". In you search with that OR condition, even if user gives any one input the search will execute.

0 Karma
Reply

vtsguerrero
Contributor
‎07-25-2014 11:38 AM

Sorry when I said filter, I meant two inputs...

0 Karma
Reply

vtsguerrero
Contributor
‎07-25-2014 09:37 AM

It's only searching both mandatory :X

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...