Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to create Splunk search based on textbox field?

srv007
Path Finder
‎04-06-2023 08:50 AM

I have a splunk search query which shows the details but the problem here is it only shows the results if the hostname passed in the text box is with fqdn. If hostname entered is without fqdn it won't show any result. How do I make the query to work if I pass abc123.xyz.com or abc123.

Apologizes if it's already answered, very new to Splunk.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-06-2023 11:22 PM

Welcome to Splunk Community @srv007 .

I think answer by @gcusello should solve your problem. (Basically using wildcard).

View solution in original post

Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-06-2023 11:22 PM

Welcome to Splunk Community @srv007 .

I think answer by @gcusello should solve your problem. (Basically using wildcard).

Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-10-2023 08:08 AM

Hello @srv007, I'm a Splunk Community Moderator,

Kindly accept the answer posted by @gcusello ,  as that's the answer to your question.

On my post, you can add "Karma/Upvote" if you like it. That would be appreciated!!

 

Thanks @srv007 , Happy Splunking!!!

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-06-2023 04:00 PM

Have a hidden base search that uses the input from the text box and changes the "$host_from_textbox_token$" value from it like this:

|makeresults
| eval host="$host_from_textbox_token$"
| lookup dnslookup clienthost AS host OUTPUT clientip AS ipFromHost
| lookup dnslookup clientip AS host OUTPUT clienthost AS hostFromIp
| rex field=host "(?<barehost>.*?)\.\w+\.\w+$"
| eval host = mvappend(host, ipFromHost, hostFromIp, barehost)
| table host
| format


Then use grab "$result.search$" in the "change" section to set another token and use that one everywhere else.

Reply
Solved! Jump to solution

srv007
Path Finder
‎04-06-2023 08:54 AM

Correction -

It's text box pannel and not text book.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-06-2023 09:02 AM

Hi @srv007 ,

are you speaking of a text input panel to perform a search?

If yes, you can add an asterisk in prefix and suffix:

    <input type="text" token="user">
      <label>User</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>user="*</prefix>
      <suffix>*"</suffix>
      <fieldForLabel>user</fieldForLabel>
      <fieldForValue>user</fieldForValue>
    </input>

 Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...