Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I build a Dashboard/Search to use optional Text inputs?

dpanych
Communicator
‎12-06-2016 10:56 AM

I am trying to build a dashboard with multiple Text inputs that are optional. Say I have 4 Text input boxes: UserID, PID, SPID, and IP, with Default/Load values being "*". The initial search will return all results. But say I want to just search a UserID and want to bring back all data when UserID = "This_is_a_user". If I'm searching only on UserID, I don't want the other fields being searched on. How can I do this? 

(index=AUTH OR index=EXTERNAL_APP) UserID=$userid$ PID=$pid$ SPID=$spid$ IP=$ip$
| table AppID _time UsreID Session IP SystemID PID SPID Page Function FName  MI  LName Address Email 
| sort _time
0 Karma
Reply

gokadroid
Motivator
‎12-06-2016 11:50 AM

If userid, pid, spid and ip are the four tokens, one for each of the text box then by setting text inputs's Default value as * it should work the way you want. Since by * you imply that Splunk should search all the values for the field to which this text input token (in case you left it blank) got set to.

Additionally, update the token prefix and token suffix to " (double quotes) so that you get the desired results as (double quotes)tokenValue(double quotes) if token is not set and/or a default of * is chosen then it results in the token value to become "*" which might be more friendly 🙂

Hence by just setting one of the four tokens and leaving other three blank the three on which you don't want to search will become "*" which is equal to do not search anything specific on them which gives u the desired result of search all values of the three fields which I chose as blank and only filter on one of them which is not blank.

Then below query should work fine the way you require it.

 (index=AUTH OR index=EXTERNAL_APP) UserID=$userid$ PID=$pid$ SPID=$spid$ IP=$ip$
 | table AppID _time UsreID Session IP SystemID PID SPID Page Function FName  MI  LName Address Email 
 | sort _time
Reply

dpanych
Communicator
‎12-06-2016 01:25 PM

That would work, but I have some events that contain only three of the four fields (UserID PID IP) - some events do not have SPID and/or IP. So if I input data into the UserID and PID text boxes, leaving SPID and IP as "*" ( UserID=Larry PID=1 SPID=* IP=*), that does not work because the event contains fields UserID PID and does not have SPID and IP. Having "*" for SPID and IP implies that the event contains the two fields.

0 Karma
Reply

niketn
Legend
‎12-06-2016 11:37 AM

By default the search filters have a logic AND between them, if you do not specify the same explicitly. All you need to do is add OR between all the filters you want to use.

 (index=AUTH OR index=EXTERNAL_APP) AND (UserID=$userid$ OR PID=$pid$ OR SPID=$spid$ OR IP=$ip$)
 | table _time AppID UsreID Session IP SystemID PID SPID Page Function FName  MI  LName Address Email

Also in your table change _time to be the first column and result will be automatically sorted based on first field. This should save you one additional final sort query,

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

niketn
Legend
‎12-06-2016 08:02 PM

Since you have variety of events and conditions, you should use separate dropdown/checkbox inputs between each field dropdown to explicitly select what you need. By default you can have all AND selected.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...