Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Dashboard to query optional fields

gtonti
Explorer
‎05-21-2018 01:35 AM

My log file is:

  1. TimeStamp=20180521095103123 Service=ABC12 User=ut1234 Id=12345678 Msg=ttttttttttttt
  2. TimeStamp=20180521095103456 Service=ABC12 Id=12345678 Msg=xxxxxxxxxxxx
  3. TimeStamp=20180521095103723 Service=ABC12 User=ut1234 Msg=yyyyyyyyyyyyyyyy

I want a dashboard in which I can search for Service, User, Id.
I made three input fields with default="*".


  3. Service
  4. *


  7. User
  8. *


  11. id
  12. *

My query is:

  1. index=xxxx Service=$serviceToken$ User=$userToken$ Id=$idToken$

When I make the query I get only thee first row of the log.
I understood that it is related to fields not present in the log file.

How can I modify my dashboard/query to obtain alle the rows?

Thank you

Reply

gtonti
Explorer
‎05-22-2018 03:24 AM

Hi everybody,
I adopted this solution. I created a token using change/condition. In this scenario I changed the default value form "*" to blanck.

The input in the xml dashboard definition is:

  1. <input type="text">
  2. <label>User</label>
  3. <initialValue></initialValue>
  4. <change>
  5. <condition value="">
  6. <set token="userToken"></set>
  7. </condition>
  8. <condition>
  9. <set token="userToken">User=$value$</set>
  10. </condition>
  11. </change>
  12. </input>

the query is:
index=xxx $userToken$

what happens is:
1) if User is empty/blank the query is index=xxx
2) if User has a value the query is index=xxx User=value

Reply

duartet
Path Finder
‎02-06-2020 06:33 AM

Worked for me! Thanks

0 Karma
Reply

mayurr98
Super Champion
‎05-21-2018 02:34 AM

Try this

index=xxxx Service=$serviceToken$ Id=$idToken$ OR User=$userToken$

let me know if this helps!

0 Karma
Reply

gtonti
Explorer
‎05-21-2018 02:56 AM

Thank you for the reply.
It works if I leave * in all the inputs.
If I set User to ut1234 I want only two lines as response of the query (the row 1 and 3).

Thank you

0 Karma
Reply

mayurr98
Super Champion
‎05-21-2018 05:05 AM

Yes, you are right this will not work in that case. This is because you are searching User=ut1234 OR Id=*
In order to write correct search query, you would need to add only those fields which are available in all the events. OR else you would need to find a workaround

Try this

index=xxxx | fillnull value="NA" User |search  Service=$serviceToken$ Id=$idToken$  User=$userToken$
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Index This | I am a number but I am countless. What am I?

January 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  Happy New Year! We’re ...

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

PLATFORM TECH TALKS What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience Thursday, February 27, ...