Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to change stats on optional field?

rangarbus
Path Finder
‎03-17-2022 07:07 PM

Hello Folks,

I have the below query on one of my dashboard panel.

Here I pass the IN_BUSINESSDATE field value from dashboard (form input) with default as % and prefix & sufix value as %. So incase user does not provide, the query gets IN_BUSINESSDATE as %%% (its ok)

index=dockerlogs 
| search app_name = ABCD AND logEvent="Delivered"
| spath input=businessKey path=businessDate output=businessDate
| spath input=businessKey output=sourceSystem path=sourceSystem
| eval businessDate=substr(businessDate,1,10)
| where like(businessDate, "$IN_BUSINESSDATE$")
| stats count by businessDate, sourceSystem

Now I would like to change the stats on the query as below if IN_BUSINESSDATE is not provided (meaning value is %%%)

| stats count by sourceSystem

How can I achieve this ?

Thank you!

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-18-2022 12:31 AM

Add a change handler to the input and set another token business_date_entered to "businessDate" if there is an entry and "" otherwise, then use this new token on the stats command

| stats count by $business_date_entered$ sourceSystem

 

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-18-2022 12:31 AM

Add a change handler to the input and set another token business_date_entered to "businessDate" if there is an entry and "" otherwise, then use this new token on the stats command

| stats count by $business_date_entered$ sourceSystem

 

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...