- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: Omit Token Value from Results on 1 Panel
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Omit Token Value from Results on 1 Panel
I'm have a dashboard with multiple panels, some of which provide hostnames and others that do not (some coming from AD and others coming from routers). I have text search boxes that tie to all the panels and populate data when it's available.
My question is, how do I omit results in a panel that looks at router logs and therefore doesn't have a hostname? Currently, if I do a search from a hostname, the panel running a search on router logs just pulls up all router logs. If someone searches for a hostname, I just want the panel that searches router logs to say 'no results found". All the table results except IP come from an Automatic Lookup populated by a Lookup file.
Below is the dashboard panel search string.
index=__sec_fw sourcetype=cisco:asa host IN ("router1", "router2") src_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 128.163.61.0/24, 128.163.59.0/25, 128.163.59.128/25)
| rename src_ip AS IP
| search IP="$ip$"
| table "IP", Location, Location_Additional, Floor, _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @chrisschum - Not very clear to me.
You have a drop down input with host names?
If so, what is the expected result if user selects router1 from the drop down?
If you mean to say the result should be - no results found , then when should this query execute?
It is a bit confusing , can you throw some more clarity on your requirements?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I apologize it's taken me so long to respond.
Actually, it turns out I don't need to do it this way anymore as the needs change.
Thanks for responding!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@chrisschum if you can add the summary or overview of what you have done to resolve your issue as an answer and accept the same then it would be great so that the question is marked as answered and may assist other facing similar issue.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@niketnilay I completely understand, but the thing is the issue wasn't resolved. I just went a different direction with the dashboard. I simply made everyone who uses it (just a handful of people) aware that if they weren't searching an IP, to ignore the panels with IP information. I just worked around it.
Thanks!
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
