Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help on a filter token which falsify the results

jip31
Motivator
‎03-09-2021 02:16 AM

hi

I am doing a basic count with the xml below

 

 

    <input type="dropdown" token="tok_filtersite" searchWhenChanged="true">
      <label>Site</label>
      <choice value="N">N</choice>
      <choice value="SE">SE</choice>
      <initialValue>N</initialValue>
      <default>N</default>
    </input>
    <input type="dropdown" token="tok_filtercategory" searchWhenChanged="true">
      <label>Category.</label>
      <default>*</default>
      <choice value="*">*</choice>
      <choice value="HW/PC TABLET">HW/PC TABLET</choice>
      <choice value="HW/PC LAPTOP">HW/PC LAPTOP</choice>
      <choice value="HW/PC DESKTOP">HW/PC DESKTOP</choice>
      <choice value="Hardware">Hardware</choice>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_filterdepartment" searchWhenChanged="true">
      <label>Department</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="tok_filterresponsible" searchWhenChanged="true">
      <label>Responsible (Use *_* or "_")</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Number of devices with "Production" STATUS</title>
      <single>
        <title>Source : ServiceNow</title>
        <search>
          <query>| inputlookup fo_all where TYPE="PC" (DOMAIN=I OR DOMAIN=B) (CATEGORY = "HW/PC LAPTOP" OR CATEGORY ="HW/PC TABLET" OR CATEGORY ="HW/PC DESKTOP") (STATUS = "Production") 
| search SITE=$tok_filtersite|s$ 
| search CATEGORY=$tok_filtercategory|s$ 
| search DEPARTMENT=$tok_filterdepartment$ 
| search RESPONSIBLE_USER=$tok_filterresponsible|s$ 
| stats dc(HOSTNAME)</query>

 

 

But the count is right only when I delete the DEPARTMENT token and I dont know why

The only think I can say is that most the time, the DEPARTMENT field is empty

 

 

| search DEPARTMENT=$tok_filterdepartment$

 

And if cumulate the number of events when I add this at the end of my search :

 search NOT DEPARTMENT=""
 search DEPARTMENT=""

the number of results is right...

What is the problem please?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎03-09-2021 01:23 PM

This is because there where clause does not work quite the same way as 'search', i.e. where

| where DEPARTMENT=$tok_filterdepartment|s$

is doing a string literal equals, and not using the wildcards. You need a match+regex for where clauses.

So, I suggest this

| search SITE=$tok_filtersite|s$ CATEGORY=$tok_filtercategory|s$ RESPONSIBLE_USER=$tok_filterresponsible|s$ 
| fillnull value="" DEPARTMENT
| search DEPARTMENT=$tok_filterdepartment|s$

which will convert your null DEPARTMENT fields to empty fields and then use search to handle your input wildcards easily.

Hope this helps

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎03-09-2021 02:32 AM

The problem is as you suspect, if the department field is not present, then searching for department=* will not find rows where department is null.

You could replace your search commands with

| search SITE=$tok_filtersite|s$ CATEGORY=$tok_filtercategory|s$ RESPONSIBLE_USER=$tok_filterresponsible|s$ 
| where DEPARTMENT=$tok_filterdepartment|s$ OR $tok_filterdepartment|s$="*"

 where the DEPARTMENT search is done with a where clause and says

'department matches filtered department OR filtered department is your default wildcard entry', i.e. the last part will match everything if it's ALL

 

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-09-2021 05:52 AM

have you an idea please??

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-09-2021 02:49 AM

like this, I have the good result but.....

the input text value for department field is not taken into account

If I put a value in department input text (*O* for example), the count has to be done on this value

But instead this, i have 0 in the results...

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎03-09-2021 01:23 PM

This is because there where clause does not work quite the same way as 'search', i.e. where

| where DEPARTMENT=$tok_filterdepartment|s$

is doing a string literal equals, and not using the wildcards. You need a match+regex for where clauses.

So, I suggest this

| search SITE=$tok_filtersite|s$ CATEGORY=$tok_filtercategory|s$ RESPONSIBLE_USER=$tok_filterresponsible|s$ 
| fillnull value="" DEPARTMENT
| search DEPARTMENT=$tok_filterdepartment|s$

which will convert your null DEPARTMENT fields to empty fields and then use search to handle your input wildcards easily.

Hope this helps

 

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-09-2021 09:29 PM

thanks it works now 😉

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...