Solved: Display all results if text field is * , or partia...

JohnD-Splunker

I'm trying to have the dashboard return all results if the text field is * or return all phone numbers with a partial search in the text box.

    <input type="text" token="PhoneNumber" searchWhenChanged="true">
      <label>Phone number to search</label>
      <default>*</default>
    </input>

The search on the dashboard panel:

index="cellulardata"   | where if ($PhoneNumber$ ="*", (like('Wireless number and descriptions',"%"),like('Wireless Number and descriptions',"%$phonenumber$%" ) |  eval Type=if(like(lower('Charge description'), "%text%")  OR like(lower('Charge description'), "%ict%"), "Text", "Voice") | eval Direction=if (Type="Voice" AND 'Called city_state' = "INCOMING,CL","Incoming","Outgoing") | eval datetime =Date." ".Time | eval _time=strptime (datetime,"%m/%d/%Y %H:%M") | eval DateTime=strftime(_time, "%m/%d/%y %I:%M %p") |  eval To_from=replace (To_from,"\.","") | table DateTime, "Wireless number and descriptions", To_from, Type, Direction |rename "Wireless number and descriptions" as Number | sort -DateTime

The query returns no results no matter if the text field is empty or not. I've removed the entry below from the search, so I know the rest of the search works:

where if ($PhoneNumber$ ="*", (like('Wireless number and descriptions',"%"),like('Wireless Number and descriptions',"%$phonenumber$%"

I've tried comparing this to other dashboards I've seen and searching google, but no luck for some reason.

yuanliu

The query returns no results no matter if the text field is empty or not. I've removed the entry below from the search, so I know the rest of the search works:

where if ($PhoneNumber$ ="*", (like('Wireless number and descriptions',"%"),like('Wireless Number and descriptions',"%$phonenumber$%"

So many problems in your description. First of all, the above search misspells the token name as $phonenumber$ in the second value when your input defines a token named PhoneNumber (with camel case). If that's the search in your panel, Splunk will be "waiting for input" no matter what you do.

Secondly, if you correct the token name, the if function contains several misplaced parentheses that will give syntax error. If you want to include SPL snippets in question, do not make volunteers guess what you actually meant. It is fair to modify your samples to conceal sensitive info. But make sure the sample is error free.

Correcting for the two obvious errors, your example will look like

where if ($PhoneNumber$ ="*", like('Wireless number and descriptions',"%"),like('Wireless Number and descriptions',"%$PhoneNumber$%"))

Here is problem 3: if you enter no text, Splunk not only returns nothing, but will also give you an error

Error in 'where' command: The expression is malformed. An unexpected character is reached at '* ="*", like('Wireless number and descriptions',"%"),like('Wireless Number and descriptions',"%*%"))'.

In an evaluation context (which where command uses), if you want to use a token as literal string, you must quote it.

Correcting for this 3rd error, you get

where if ("$PhoneNumber$" ="*", like('Wireless number and descriptions',"%"),like('Wireless Number and descriptions',"%$PhoneNumber$%"))

While this gives you output when you enter nothing into input, it has a 4th problem that you can diagnose using @PickleRick's suggestion by clicking the magnifying glass: your second value in the if function misspells field name Wireless number and descriptions - "number" is spelled with a capital N. I deduce that your field name contains the word "number" with lower case because you said when you enter a valid phone number your mistaken dashboard still returns nothing. (Also because in the rest of the search you used all-lower case "number".

So, the least you can change to is

where if ("$PhoneNumber$" ="*", like('Wireless number and descriptions',"%"),like('Wireless number and descriptions',"%$PhoneNumber$%"))

However, the first value in the expression is a waste because like('Wireless number and descriptions',"%") always evaluates to true. You should tell the compiler to just do so.

where if ("$PhoneNumber$" ="*", true(), like('Wireless number and descriptions',"%$PhoneNumber$%"))

But then, why invoke if function if you can just use a search term? How about

index="cellulardata" "Wireless number and descriptions" = "*$phonenumber$*"
| eval Type=if(like(lower('Charge description'), "%text%")  OR like(lower('Charge description'), "%ict%"), "Text", "Voice")
| eval Direction=if (Type="Voice" AND 'Called city_state' = "INCOMING,CL","Incoming","Outgoing")
| eval datetime =Date." ".Time
| eval _time=strptime (datetime,"%m/%d/%Y %H:%M")
| eval DateTime=strftime(_time, "%m/%d/%y %I:%M %p")
| eval To_from=replace (To_from,"\.","")
| table DateTime, "Wireless number and descriptions", To_from, Type, Direction
| rename "Wireless number and descriptions" as Number
| sort -DateTime

View solution in original post

yuanliu

The query returns no results no matter if the text field is empty or not. I've removed the entry below from the search, so I know the rest of the search works:

where if ($PhoneNumber$ ="*", (like('Wireless number and descriptions',"%"),like('Wireless Number and descriptions',"%$phonenumber$%"

So many problems in your description. First of all, the above search misspells the token name as $phonenumber$ in the second value when your input defines a token named PhoneNumber (with camel case). If that's the search in your panel, Splunk will be "waiting for input" no matter what you do.

Secondly, if you correct the token name, the if function contains several misplaced parentheses that will give syntax error. If you want to include SPL snippets in question, do not make volunteers guess what you actually meant. It is fair to modify your samples to conceal sensitive info. But make sure the sample is error free.

Correcting for the two obvious errors, your example will look like

where if ($PhoneNumber$ ="*", like('Wireless number and descriptions',"%"),like('Wireless Number and descriptions',"%$PhoneNumber$%"))

Here is problem 3: if you enter no text, Splunk not only returns nothing, but will also give you an error

Error in 'where' command: The expression is malformed. An unexpected character is reached at '* ="*", like('Wireless number and descriptions',"%"),like('Wireless Number and descriptions',"%*%"))'.

In an evaluation context (which where command uses), if you want to use a token as literal string, you must quote it.

Correcting for this 3rd error, you get

where if ("$PhoneNumber$" ="*", like('Wireless number and descriptions',"%"),like('Wireless Number and descriptions',"%$PhoneNumber$%"))

While this gives you output when you enter nothing into input, it has a 4th problem that you can diagnose using @PickleRick's suggestion by clicking the magnifying glass: your second value in the if function misspells field name Wireless number and descriptions - "number" is spelled with a capital N. I deduce that your field name contains the word "number" with lower case because you said when you enter a valid phone number your mistaken dashboard still returns nothing. (Also because in the rest of the search you used all-lower case "number".

So, the least you can change to is

where if ("$PhoneNumber$" ="*", like('Wireless number and descriptions',"%"),like('Wireless number and descriptions',"%$PhoneNumber$%"))

However, the first value in the expression is a waste because like('Wireless number and descriptions',"%") always evaluates to true. You should tell the compiler to just do so.

where if ("$PhoneNumber$" ="*", true(), like('Wireless number and descriptions',"%$PhoneNumber$%"))

But then, why invoke if function if you can just use a search term? How about

index="cellulardata" "Wireless number and descriptions" = "*$phonenumber$*"
| eval Type=if(like(lower('Charge description'), "%text%")  OR like(lower('Charge description'), "%ict%"), "Text", "Voice")
| eval Direction=if (Type="Voice" AND 'Called city_state' = "INCOMING,CL","Incoming","Outgoing")
| eval datetime =Date." ".Time
| eval _time=strptime (datetime,"%m/%d/%Y %H:%M")
| eval DateTime=strftime(_time, "%m/%d/%y %I:%M %p")
| eval To_from=replace (To_from,"\.","")
| table DateTime, "Wireless number and descriptions", To_from, Type, Direction
| rename "Wireless number and descriptions" as Number
| sort -DateTime

JohnD-Splunker

Thanks to yuanliu ! the code below worked. Sorry about the typos...that was just some fat-fingering trying to post the query. I was not aware of the the true() function, but learn something new everyday.

where if ("$PhoneNumber$" ="*", true(), like('Wireless number and descriptions',"%$PhoneNumber$%"))

PickleRick

First thing to do in such cases is to click "open in search" and check what the actual search is being rendered into after substituting the tokens.

livehybrid

Hi @JohnD-Splunker

I have a suspicion that when you do $PhoneNumber$ ="*" your actually going to end up with *="*"

I would suggest updating $PhoneNumber$ to

$PhoneNumber|s$

This adds quotes around the value.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Display all results if text field is * , or partials results based on any part of phone number entered

other

Holistic Visibility and Effective Alerting Across IT and OT Assets

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud