Splunk Search

Filter by token only if token is present


I want to display all of my widgets by their type. Sometimes though, I want to look up a particular widget (via a text field on my dashboard).

... `rex field=Message "Blahblah(?<Type>\w+).*" | rex field=Message "xyz(?<Widget>\w+)" | stats list(Type) as Type, list(Widget) as Widgets by Whatever | where isNotNull(Type) AND if($targetWidget$=*, TRUE, "$targetWidget$" IN(Widgets)) | sort -_time`

What I'm trying to say is "If I've specified a target widget, just grab all the widgets with a type. Otherwise, filter by targetWidget (the value entered in the text box). I have my targetWidget defaulting to *. Different combinations of quotes/no quotes around various things alternately give me errors, "search is waiting for input" for forever, or simply no results.

The below query works just fine, without the IF statement.

... where isNotNull(Type) AND "$targetWidget$" IN(Widgets)) | sort -_time

Tags (3)
0 Karma


Maybe don't control it in your query, but control it in the textfield/form of your dashboard and set a default value of "all" on the formfield. If your dashboard text field passes nothing in, and the user loads the dashboard (or presses submit - however you have it set up), then they receive all the widgets. If you type something into the form field, then you get that. This means you already figured out the code you need for your query.
where isNotNull(Type) AND "$targetWidget$" IN(Widgets)) | sort -_time


If this reply helps you, an upvote would be appreciated.
0 Karma


@stevedefazio while posting code/data on Splunk answers use the code button (10101) or select code/data and use keyboard shortcut Ctrl+K. This will ensure that special characters in your code/data will not get removed.

Also for the community to assist you better please provide sample data for the two scenario you trying to execute with sample query which you want to run. For example it is not quite clear whether the value entered in the text box is field name or field value? What is Widgets? Is it field name or field value?

| makeresults | eval message= "Happy Splunking!!!"


Thanks for your comments. I c an see that by not formatting it properly I made it basically impossible to read.

0 Karma