Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help on a filter token which falsify the results

jip31
Motivator
‎03-09-2021 02:16 AM

hi

I am doing a basic count with the xml below

 

 

    <input type="dropdown" token="tok_filtersite" searchWhenChanged="true">
      <label>Site</label>
      <choice value="N">N</choice>
      <choice value="SE">SE</choice>
      <initialValue>N</initialValue>
      <default>N</default>
    </input>
    <input type="dropdown" token="tok_filtercategory" searchWhenChanged="true">
      <label>Category.</label>
      <default>*</default>
      <choice value="*">*</choice>
      <choice value="HW/PC TABLET">HW/PC TABLET</choice>
      <choice value="HW/PC LAPTOP">HW/PC LAPTOP</choice>
      <choice value="HW/PC DESKTOP">HW/PC DESKTOP</choice>
      <choice value="Hardware">Hardware</choice>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_filterdepartment" searchWhenChanged="true">
      <label>Department</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_filterresponsible" searchWhenChanged="true">
      <label>Responsible (Use *_* or "_")</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Number of devices with "Production" STATUS</title>
      <single>
        <title>Source : ServiceNow</title>
        <search>
          <query>| inputlookup fo_all where TYPE="PC" (DOMAIN=I OR DOMAIN=B) (CATEGORY = "HW/PC LAPTOP" OR CATEGORY ="HW/PC TABLET" OR CATEGORY ="HW/PC DESKTOP") (STATUS = "Production") 
| search SITE=$tok_filtersite|s$ 
| search CATEGORY=$tok_filtercategory|s$ 
| search DEPARTMENT=$tok_filterdepartment$ 
| search RESPONSIBLE_USER=$tok_filterresponsible|s$ 
| stats dc(HOSTNAME)</query>

 

 

But the count is right only when I delete the DEPARTMENT token and I dont know why

The only think I can say is that most the time, the DEPARTMENT field is empty

 

 

| search DEPARTMENT=$tok_filterdepartment$

 

And if cumulate the number of events when I add this at the end of my search :

 search NOT DEPARTMENT=""
 search DEPARTMENT=""

the number of results is right...

What is the problem please?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎03-09-2021 01:23 PM

This is because there where clause does not work quite the same way as 'search', i.e. where

| where DEPARTMENT=$tok_filterdepartment|s$

is doing a string literal equals, and not using the wildcards. You need a match+regex for where clauses.

So, I suggest this

| search SITE=$tok_filtersite|s$ CATEGORY=$tok_filtercategory|s$ RESPONSIBLE_USER=$tok_filterresponsible|s$ 
| fillnull value="" DEPARTMENT
| search DEPARTMENT=$tok_filterdepartment|s$

which will convert your null DEPARTMENT fields to empty fields and then use search to handle your input wildcards easily.

Hope this helps

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎03-09-2021 02:32 AM

The problem is as you suspect, if the department field is not present, then searching for department=* will not find rows where department is null.

You could replace your search commands with

| search SITE=$tok_filtersite|s$ CATEGORY=$tok_filtercategory|s$ RESPONSIBLE_USER=$tok_filterresponsible|s$ 
| where DEPARTMENT=$tok_filterdepartment|s$ OR $tok_filterdepartment|s$="*"

 where the DEPARTMENT search is done with a where clause and says

'department matches filtered department OR filtered department is your default wildcard entry', i.e. the last part will match everything if it's ALL

 

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-09-2021 05:52 AM

have you an idea please??

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-09-2021 02:49 AM

like this, I have the good result but.....

the input text value for department field is not taken into account

If I put a value in department input text (*O* for example), the count has to be done on this value

But instead this, i have 0 in the results...

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎03-09-2021 01:23 PM

This is because there where clause does not work quite the same way as 'search', i.e. where

| where DEPARTMENT=$tok_filterdepartment|s$

is doing a string literal equals, and not using the wildcards. You need a match+regex for where clauses.

So, I suggest this

| search SITE=$tok_filtersite|s$ CATEGORY=$tok_filtercategory|s$ RESPONSIBLE_USER=$tok_filterresponsible|s$ 
| fillnull value="" DEPARTMENT
| search DEPARTMENT=$tok_filterdepartment|s$

which will convert your null DEPARTMENT fields to empty fields and then use search to handle your input wildcards easily.

Hope this helps

 

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-09-2021 09:29 PM

thanks it works now 😉

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...