Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to ignore a field from search if the value is null, and then search based on the second input.?

kuriakose
Explorer
‎10-30-2020 08:20 AM

How to ignore a field from search if the value is null, search based on the second input.?
I have two inputs and this search will work only if i have some value in both the fields. I need the result, even if one value is null.

1.png

name="$field4$" OR EmpID="$field5$"

Found a similar one here,
but this did not resolve my issue.

Appreciate the help in advance.

https://community.splunk.com/t5/Getting-Data-In/How-to-omit-a-field-from-search-on-a-text-input-if-t...

Labels (1)
Labels
Preview file
8 KB
0 Karma
Reply

kuriakose
Explorer
‎11-03-2020 07:35 AM

I could sort out this issue by trying |search ($test1$ $test2$). 

Now the search is giving the results even if one input is null. 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-03-2020 07:43 AM

Doesn't this just do ($test1$ AND $test2$)?

0 Karma
Reply

kuriakose
Explorer
‎10-30-2020 09:07 AM

I have field values, name and EmpID in my index. The above search will not work if I am giving only a single input. I have to give both the inputs then only its working. which I don't want. Sometime I will have only one input.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-30-2020 09:47 AM

Try setting the default to * and/or in the change handler for the text input set a token to * if the input is empty and use those tokens in your search

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-30-2020 08:51 AM

Have your inputs set a new token which includes the name= if the value of the input is not empty otherwise set it to an empty string or perhaps unset it. Then use the whole of the new token(s) in your search.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...