Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help on a filter token which falsify the results

jip31
Motivator
‎03-09-2021 02:16 AM

hi

I am doing a basic count with the xml below

 

 

    <input type="dropdown" token="tok_filtersite" searchWhenChanged="true">
      <label>Site</label>
      <choice value="N">N</choice>
      <choice value="SE">SE</choice>
      <initialValue>N</initialValue>
      <default>N</default>
    </input>
    <input type="dropdown" token="tok_filtercategory" searchWhenChanged="true">
      <label>Category.</label>
      <default>*</default>
      <choice value="*">*</choice>
      <choice value="HW/PC TABLET">HW/PC TABLET</choice>
      <choice value="HW/PC LAPTOP">HW/PC LAPTOP</choice>
      <choice value="HW/PC DESKTOP">HW/PC DESKTOP</choice>
      <choice value="Hardware">Hardware</choice>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_filterdepartment" searchWhenChanged="true">
      <label>Department</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_filterresponsible" searchWhenChanged="true">
      <label>Responsible (Use *_* or "_")</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Number of devices with "Production" STATUS</title>
      <single>
        <title>Source : ServiceNow</title>
        <search>
          <query>| inputlookup fo_all where TYPE="PC" (DOMAIN=I OR DOMAIN=B) (CATEGORY = "HW/PC LAPTOP" OR CATEGORY ="HW/PC TABLET" OR CATEGORY ="HW/PC DESKTOP") (STATUS = "Production") 
| search SITE=$tok_filtersite|s$ 
| search CATEGORY=$tok_filtercategory|s$ 
| search DEPARTMENT=$tok_filterdepartment$ 
| search RESPONSIBLE_USER=$tok_filterresponsible|s$ 
| stats dc(HOSTNAME)</query>

 

 

But the count is right only when I delete the DEPARTMENT token and I dont know why

The only think I can say is that most the time, the DEPARTMENT field is empty

 

 

| search DEPARTMENT=$tok_filterdepartment$

 

And if cumulate the number of events when I add this at the end of my search :

 search NOT DEPARTMENT=""
 search DEPARTMENT=""

the number of results is right...

What is the problem please?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎03-09-2021 01:23 PM

This is because there where clause does not work quite the same way as 'search', i.e. where

| where DEPARTMENT=$tok_filterdepartment|s$

is doing a string literal equals, and not using the wildcards. You need a match+regex for where clauses.

So, I suggest this

| search SITE=$tok_filtersite|s$ CATEGORY=$tok_filtercategory|s$ RESPONSIBLE_USER=$tok_filterresponsible|s$ 
| fillnull value="" DEPARTMENT
| search DEPARTMENT=$tok_filterdepartment|s$

which will convert your null DEPARTMENT fields to empty fields and then use search to handle your input wildcards easily.

Hope this helps

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎03-09-2021 02:32 AM

The problem is as you suspect, if the department field is not present, then searching for department=* will not find rows where department is null.

You could replace your search commands with

| search SITE=$tok_filtersite|s$ CATEGORY=$tok_filtercategory|s$ RESPONSIBLE_USER=$tok_filterresponsible|s$ 
| where DEPARTMENT=$tok_filterdepartment|s$ OR $tok_filterdepartment|s$="*"

 where the DEPARTMENT search is done with a where clause and says

'department matches filtered department OR filtered department is your default wildcard entry', i.e. the last part will match everything if it's ALL

 

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-09-2021 05:52 AM

have you an idea please??

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-09-2021 02:49 AM

like this, I have the good result but.....

the input text value for department field is not taken into account

If I put a value in department input text (*O* for example), the count has to be done on this value

But instead this, i have 0 in the results...

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎03-09-2021 01:23 PM

This is because there where clause does not work quite the same way as 'search', i.e. where

| where DEPARTMENT=$tok_filterdepartment|s$

is doing a string literal equals, and not using the wildcards. You need a match+regex for where clauses.

So, I suggest this

| search SITE=$tok_filtersite|s$ CATEGORY=$tok_filtercategory|s$ RESPONSIBLE_USER=$tok_filterresponsible|s$ 
| fillnull value="" DEPARTMENT
| search DEPARTMENT=$tok_filterdepartment|s$

which will convert your null DEPARTMENT fields to empty fields and then use search to handle your input wildcards easily.

Hope this helps

 

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-09-2021 09:29 PM

thanks it works now 😉

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...