Splunk Search

How come the text input token is not filtering out all results?

gbwilson
Path Finder

I'm having trouble filtering results using a text input token.

When I enter the name of an application, the record with the correct app name is returned but so are other fields where the Application is listed as Unknown/null. I'm guessing this has something to do with the token being in a subsearch, but I can't seem to prevent the other rows being returned.

Let's say I'm searching for Application "test". I just want to see the first row, instead I see:
VM IP OperatingSystem_Code Application BusinessAppOwner BusinessAppSME ITAppOwner ITAppSME
Test 1.2.3 Windows Test Person A Person B Person C Person D
Test1 4.5.6 Wndows Unknown
Test2 7.8.9 Linux Unknown
Test3 10.1.2 Linux Unknown
.....

<panel>
    <label>VM</label>
    <default>*</default>
    <prefix>VM="</prefix>
    <suffix>"</suffix>
  </input>
  <input type="text" token="appfield" searchWhenChanged="true">
    <label>Application</label>
    <default>*</default>
    <prefix>Application="</prefix>
    <suffix>"</suffix>
  </input>
  <table>
    <title>VM</title>
    <search>
      <query>index=cms_vm OperatingSystem_Code=*2008* $vmname$ | dedup VM| eval VM=upper(VM)| join type=outer VM [search index="cms_app_server" earliest="10/01/2018:00:00:00" latest="10/01/2018:24:00:00" "$appfield$" | fields VM Application]| join type=outer Application [search index="cms_application" earliest=1 latest=now() | dedup Code | fields Application BusinessAppOwner BusinessAppSME ITAppOwner ITAppSME] | table VM IP OperatingSystem_Code Application BusinessAppOwner BusinessAppSME ITAppOwner ITAppSME| fillnull value=Unknown Application| rename Asset AS "Asset Type", OperatingSystem_Code AS "Operating System"
      <earliest>1537848000</earliest>
      <latest>1537934400</latest>
    </search>
    <option name="count">20</option>
    <option name="drilldown">none</option>
    <option name="refresh.display">progressbar</option>
  </table>
</panel>
0 Karma

nswondem
Path Finder

Here's an example:

[search index="cms_app_server" earliest="10/01/2018:00:00:00" latest="10/01/2018:24:00:00" Application=* "$appfield$" | fields VM Application]
0 Karma

nswondem
Path Finder

Consider adding Application=* to eliminate any null values.

0 Karma

gbwilson
Path Finder

I've tried this too. When I try this null values still appear in the stats table not just the record that fits the token criteria.

0 Karma

Vijeta
Influencer

your VM field is the key between index cms_vm and cms_app_server.
Since your VM values Test, Test1, Test2, Test3 is present in outer query so all the rows are appearing.
You are searching on Application field within the inner query, so the inner query is giving you only first row but due to outer quesry you are getting all the rows which have blank application and then you have one more outer join.
Your where should be just before table-

|where Application="$appfield$" | table VM IP OperatingSystem_Code Application BusinessAppOwner BusinessAppSME ITAppOwner ITAppSME|
0 Karma

gbwilson
Path Finder

Yeah I know it's tricky with the outer joins. I tried your suggestion but get "No results found" even when all tokens are on 'Select *'

0 Karma

Vijeta
Influencer

If the appfield token has the value, then it should be able to filter in the where clause. if appfield is TEST then you should get first row. Did you try removing the quotes like where Application=$appfield$

Also you can see the runtime token value on the dashboard URL as form.appfield=value, so that can help to check if the token is populating correctly.

0 Karma

gbwilson
Path Finder

The token looks like it's populating correctly based on the dashboard URL. I also tried removing the quotes, but it still doesn't provide any results.

0 Karma

Vijeta
Influencer

Can you give Application= “$apptoken$” in your search

0 Karma

gbwilson
Path Finder

I've tried doing that, but I still get the same issue where the Unknown results still appear.

0 Karma

Vijeta
Influencer

Why are you using an outer join? Do you want the events from index cms_vm to be always displayed or to be displayed when the join condition matches. You can use join type=inner for that case.

0 Karma

gbwilson
Path Finder

I want to see all events, not just ones where the condition matches.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...