Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Filter by token only if token is present

stevedefazio
Explorer
‎11-12-2019 07:35 AM

I want to display all of my widgets by their type. Sometimes though, I want to look up a particular widget (via a text field on my dashboard).

... `rex field=Message "Blahblah(?<Type>\w+).*" | rex field=Message "xyz(?<Widget>\w+)" | stats list(Type) as Type, list(Widget) as Widgets by Whatever | where isNotNull(Type) AND if($targetWidget$=*, TRUE, "$targetWidget$" IN(Widgets)) | sort -_time`

What I'm trying to say is "If I've specified a target widget, just grab all the widgets with a type. Otherwise, filter by targetWidget (the value entered in the text box). I have my targetWidget defaulting to *. Different combinations of quotes/no quotes around various things alternately give me errors, "search is waiting for input" for forever, or simply no results.

The below query works just fine, without the IF statement.

... where isNotNull(Type) AND "$targetWidget$" IN(Widgets)) | sort -_time

Tags (3)
0 Karma
Reply

efavreau
Motivator
‎11-19-2019 02:42 PM

Maybe don't control it in your query, but control it in the textfield/form of your dashboard and set a default value of "all" on the formfield. If your dashboard text field passes nothing in, and the user loads the dashboard (or presses submit - however you have it set up), then they receive all the widgets. If you type something into the form field, then you get that. This means you already figured out the code you need for your query.
where isNotNull(Type) AND "$targetWidget$" IN(Widgets)) | sort -_time

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Reply

niketn
Legend
‎11-12-2019 07:50 AM

@stevedefazio while posting code/data on Splunk answers use the code button (10101) or select code/data and use keyboard shortcut Ctrl+K. This will ensure that special characters in your code/data will not get removed.

Also for the community to assist you better please provide sample data for the two scenario you trying to execute with sample query which you want to run. For example it is not quite clear whether the value entered in the text box is field name or field value? What is Widgets? Is it field name or field value?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

stevedefazio
Explorer
‎11-12-2019 09:29 AM

Thanks for your comments. I c an see that by not formatting it properly I made it basically impossible to read.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...