Re: How to create a filter on the field fetch usin...

Real_captain · ‎04-29-2024

Hi

Can someone help me to find a way to create a Dropdown Input on the field which is extracted using a REX command.

Example: For the below search, I want to add a new dropdown Input with the 3 values :
a) Incoming b) Outgoing c) Both

If user select Incoming, only those records with the direction as incoming will be displayed.

If user select Outgoing, only those records with the direction as Outgoing will be displayed.

If user select Both, all the records (Direction as incoming or outgoing) will be displayed.

Query:

index=events_prod_cdp_penalty_esa source="SYSLOG" sourcetype=zOS-SYSLOG-Console (TERM(VV537UP) OR TERM(VVF119P) ) ("- ENDED" OR "- STARTED" OR "PURGED --")
| rex field=TEXT "((VV537UP -)|(VVF119P -))(?<Func>[^\-]+)"
| fillnull Func value=" PURGED"
| eval Function=trim(Func)
| eval DAT = strftime(relative_time(_time, "+0h"), "%d/%m/%Y")
| rename DAT as Date_of_reception
| eval {Function}_TIME=_time
| stats values(Date_of_reception) as Date_of_reception values(*_TIME) as *_TIME by JOBNAME
| eval Description= case('JOBNAME' == "$VVF119P", "Reception of the CFI file from EB and trigger planning PVVZJH." ,
'JOBNAME' == "$VV537UP", "Unload of VVA537 for Infocentre." ,
1=1,"NA")
| eval DIRECTION= case('JOBNAME' == "$VVF119P", "INCOMING" , 'JOBNAME' == "$VV537UP", "OUTGOING" ,
1=1,"NA")
| eval Diff=ENDED_TIME-STARTED_TIME
| eval TimeDiff=now() - STARTED_TIME
| eval Status =
if(isnotnull(ENDED_TIME) AND (Diff<=120),"OK",if(isnotnull(ENDED_TIME) AND (Diff>120),"BREACHED",
if(isnull(ENDED_TIME) AND isnull(STARTED_TIME),"PLANNED",if(isnull(ENDED_TIME) AND isnotnull(STARTED_TIME) AND (TimeDiff>1000),"FAILED",
if(isnull(ENDED_TIME) AND isnotnull(STARTED_TIME) and (TimeDiff>1000),"RUNNING","WARNING")))))
| fieldformat STARTED_TIME=strftime((STARTED_TIME),"%H:%M:%S")
| fieldformat ENDED_TIME=strftime((ENDED_TIME),"%H:%M:%S")
| fieldformat PURGED_TIME=strftime( PURGED_TIME,"%H:%M:%S")
| eval diff_time = tostring(Diff , "duration")
| eval diff_time_1=substr(diff_time,1,8)
| rename diff_time_1 as EXECUTION_TIME
| table JOBNAME,Description,DIRECTION , Date_of_reception ,STARTED_TIME , ENDED_TIME , PURGED_TIME , EXECUTION_TIME , Status
| sort -STARTED_TIME

Real_captain · ‎04-29-2024

Hi

Sorry, I want to create an input (free text) on the field "JOBNAME" which is extracted via rex.

Is it possible?

Below input is working fine when I put a job name in the free_text input but when i give nothing or * in the

free_text input , it gives me no result.

<input type="text" token="free_text" searchWhenChanged="true">
<label>Free_Text</label>
<default>*</default>
<prefix>| where JOBNAME = "</prefix>
<suffix>"</suffix>
<initialValue>*</initialValue>
</input>

Any way to create an input filter as a free text for the field JOBNAME ??

I am using Free text input because there are more than 500 jobs and in the dropdown it does not look good.

ITWhisperer · ‎04-29-2024

Where doesn't support wildcards in this way, try using search instead of where

ITWhisperer · ‎04-29-2024

I am not sure where rex comes into it - you could set up a static drop down like this

Label	Value
Incoming	\| where DIRECTION=="INCOMING"
Outgoing	\| where DIRECTION=="OUTGOING"
Both

Then just place the token in your search after the DIRECTION eval

| eval DIRECTION= case('JOBNAME' == "$VVF119P", "INCOMING" , 'JOBNAME' == "$VV537UP", "OUTGOING" ,
1=1,"NA")
$direction_selector_token$
| eval Diff=ENDED_TIME-STARTED_TIME

How to create a filter on the field fetch using REX?

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation