Splunk Search

How can I build a Dashboard/Search to use optional Text inputs?

Communicator

I am trying to build a dashboard with multiple Text inputs that are optional. Say I have 4 Text input boxes: UserID, PID, SPID, and IP, with Default/Load values being "*". The initial search will return all results. But say I want to just search a UserID and want to bring back all data when UserID = "This_is_a_user". If I'm searching only on UserID, I don't want the other fields being searched on. How can I do this?

(index=AUTH OR index=EXTERNAL_APP) UserID=$userid$ PID=$pid$ SPID=$spid$ IP=$ip$
| table AppID _time UsreID Session IP SystemID PID SPID Page Function FName  MI  LName Address Email 
| sort _time    
0 Karma

Motivator

If userid, pid, spid and ip are the four tokens, one for each of the text box then by setting text inputs's Default value as * it should work the way you want. Since by * you imply that Splunk should search all the values for the field to which this text input token (in case you left it blank) got set to.

Additionally, update the token prefix and token suffix to " (double quotes) so that you get the desired results as (double quotes)tokenValue(double quotes) if token is not set and/or a default of * is chosen then it results in the token value to become "*" which might be more friendly 🙂

Hence by just setting one of the four tokens and leaving other three blank the three on which you don't want to search will become "*" which is equal to do not search anything specific on them which gives u the desired result of search all values of the three fields which I chose as blank and only filter on one of them which is not blank.

Then below query should work fine the way you require it.

 (index=AUTH OR index=EXTERNAL_APP) UserID=$userid$ PID=$pid$ SPID=$spid$ IP=$ip$
 | table AppID _time UsreID Session IP SystemID PID SPID Page Function FName  MI  LName Address Email 
 | sort _time    

Communicator

That would work, but I have some events that contain only three of the four fields (UserID PID IP) - some events do not have SPID and/or IP. So if I input data into the UserID and PID text boxes, leaving SPID and IP as "*" ( UserID=Larry PID=1 SPID=* IP=*), that does not work because the event contains fields UserID PID and does not have SPID and IP. Having "*" for SPID and IP implies that the event contains the two fields.

0 Karma

Legend

By default the search filters have a logic AND between them, if you do not specify the same explicitly. All you need to do is add OR between all the filters you want to use.

 (index=AUTH OR index=EXTERNAL_APP) AND (UserID=$userid$ OR PID=$pid$ OR SPID=$spid$ OR IP=$ip$)
 | table _time AppID UsreID Session IP SystemID PID SPID Page Function FName  MI  LName Address Email 

Also in your table change _time to be the first column and result will be automatically sorted based on first field. This should save you one additional final sort query,

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Legend

Since you have variety of events and conditions, you should use separate dropdown/checkbox inputs between each field dropdown to explicitly select what you need. By default you can have all AND selected.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!