Splunk Search

How can I build a Dashboard/Search to use optional Text inputs?

dpanych
Communicator

I am trying to build a dashboard with multiple Text inputs that are optional. Say I have 4 Text input boxes: UserID, PID, SPID, and IP, with Default/Load values being "*". The initial search will return all results. But say I want to just search a UserID and want to bring back all data when UserID = "This_is_a_user". If I'm searching only on UserID, I don't want the other fields being searched on. How can I do this?

(index=AUTH OR index=EXTERNAL_APP) UserID=$userid$ PID=$pid$ SPID=$spid$ IP=$ip$
| table AppID _time UsreID Session IP SystemID PID SPID Page Function FName  MI  LName Address Email 
| sort _time    
0 Karma

gokadroid
Motivator

If userid, pid, spid and ip are the four tokens, one for each of the text box then by setting text inputs's Default value as * it should work the way you want. Since by * you imply that Splunk should search all the values for the field to which this text input token (in case you left it blank) got set to.

Additionally, update the token prefix and token suffix to " (double quotes) so that you get the desired results as (double quotes)tokenValue(double quotes) if token is not set and/or a default of * is chosen then it results in the token value to become "*" which might be more friendly 🙂

Hence by just setting one of the four tokens and leaving other three blank the three on which you don't want to search will become "*" which is equal to do not search anything specific on them which gives u the desired result of search all values of the three fields which I chose as blank and only filter on one of them which is not blank.

Then below query should work fine the way you require it.

 (index=AUTH OR index=EXTERNAL_APP) UserID=$userid$ PID=$pid$ SPID=$spid$ IP=$ip$
 | table AppID _time UsreID Session IP SystemID PID SPID Page Function FName  MI  LName Address Email 
 | sort _time    

dpanych
Communicator

That would work, but I have some events that contain only three of the four fields (UserID PID IP) - some events do not have SPID and/or IP. So if I input data into the UserID and PID text boxes, leaving SPID and IP as "*" ( UserID=Larry PID=1 SPID=* IP=*), that does not work because the event contains fields UserID PID and does not have SPID and IP. Having "*" for SPID and IP implies that the event contains the two fields.

0 Karma

niketn
Legend

By default the search filters have a logic AND between them, if you do not specify the same explicitly. All you need to do is add OR between all the filters you want to use.

 (index=AUTH OR index=EXTERNAL_APP) AND (UserID=$userid$ OR PID=$pid$ OR SPID=$spid$ OR IP=$ip$)
 | table _time AppID UsreID Session IP SystemID PID SPID Page Function FName  MI  LName Address Email 

Also in your table change _time to be the first column and result will be automatically sorted based on first field. This should save you one additional final sort query,

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn
Legend

Since you have variety of events and conditions, you should use separate dropdown/checkbox inputs between each field dropdown to explicitly select what you need. By default you can have all AND selected.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...