I'm having trouble filtering results using a text input token.
When I enter the name of an application, the record with the correct app name is returned but so are other fields where the Application is listed as Unknown/null. I'm guessing this has something to do with the token being in a subsearch, but I can't seem to prevent the other rows being returned.
Let's say I'm searching for Application "test". I just want to see the first row, instead I see:
VM IP OperatingSystem_Code Application BusinessAppOwner BusinessAppSME ITAppOwner ITAppSME
Test 1.2.3 Windows Test Person A Person B Person C Person D
Test1 4.5.6 Wndows Unknown
Test2 7.8.9 Linux Unknown
Test3 10.1.2 Linux Unknown
.....
<panel>
<label>VM</label>
<default>*</default>
<prefix>VM="</prefix>
<suffix>"</suffix>
</input>
<input type="text" token="appfield" searchWhenChanged="true">
<label>Application</label>
<default>*</default>
<prefix>Application="</prefix>
<suffix>"</suffix>
</input>
<table>
<title>VM</title>
<search>
<query>index=cms_vm OperatingSystem_Code=*2008* $vmname$ | dedup VM| eval VM=upper(VM)| join type=outer VM [search index="cms_app_server" earliest="10/01/2018:00:00:00" latest="10/01/2018:24:00:00" "$appfield$" | fields VM Application]| join type=outer Application [search index="cms_application" earliest=1 latest=now() | dedup Code | fields Application BusinessAppOwner BusinessAppSME ITAppOwner ITAppSME] | table VM IP OperatingSystem_Code Application BusinessAppOwner BusinessAppSME ITAppOwner ITAppSME| fillnull value=Unknown Application| rename Asset AS "Asset Type", OperatingSystem_Code AS "Operating System"
<earliest>1537848000</earliest>
<latest>1537934400</latest>
</search>
<option name="count">20</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
Here's an example:
[search index="cms_app_server" earliest="10/01/2018:00:00:00" latest="10/01/2018:24:00:00" Application=* "$appfield$" | fields VM Application]
Consider adding Application=* to eliminate any null values.
I've tried this too. When I try this null values still appear in the stats table not just the record that fits the token criteria.
your VM field is the key between index cms_vm and cms_app_server.
Since your VM values Test, Test1, Test2, Test3 is present in outer query so all the rows are appearing.
You are searching on Application field within the inner query, so the inner query is giving you only first row but due to outer quesry you are getting all the rows which have blank application and then you have one more outer join.
Your where should be just before table-
|where Application="$appfield$" | table VM IP OperatingSystem_Code Application BusinessAppOwner BusinessAppSME ITAppOwner ITAppSME|
Yeah I know it's tricky with the outer joins. I tried your suggestion but get "No results found" even when all tokens are on 'Select *'
If the appfield token has the value, then it should be able to filter in the where clause. if appfield is TEST then you should get first row. Did you try removing the quotes like where Application=$appfield$
Also you can see the runtime token value on the dashboard URL as form.appfield=value, so that can help to check if the token is populating correctly.
The token looks like it's populating correctly based on the dashboard URL. I also tried removing the quotes, but it still doesn't provide any results.
Can you give Application= “$apptoken$”
in your search
I've tried doing that, but I still get the same issue where the Unknown results still appear.
Why are you using an outer join? Do you want the events from index cms_vm to be always displayed or to be displayed when the join condition matches. You can use join type=inner for that case.
I want to see all events, not just ones where the condition matches.