Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to create a text field where users can type keywords to search the results in a table?

vil505
Explorer
‎06-07-2016 10:37 AM

I'm making a table that reports the error events on servers. I was able to make this work fine, allowing it to show the error string, the host and directory it occurred on, and the time it occurred. Now, I would like to make it so the user can type in key words in a text field and the table will only show the events that have these word. When I tried to do this, however, the table returned "No results found." For example, I can have the text input set to the default * and it will show the errors fine, but if I type in "ERROR," which all the events have, it will give me know results found.

Here is the string I am using:

host=$hosttok1$ "ERROR"  sourcetype=streamer_nohup source=$sourcetok1$| regex _raw!="WARN"| rex "(?<error>\w{5}\s+.{100})"| table _time host source error| search error=$texttok1$

This is based on a previous table I made that shows IP address and allows you to seek specific IP addresses:

index=qp_mds  sourcetype=mds_perf host=$hosttok1$| rex "(?<IP>\d+\.\d+\.\d+\.\d+)" | table _time host IP| search IP=$texttok1$

Note that the IP table works exactly as intended.

0 Karma
Reply

vil505
Explorer
‎06-10-2016 08:47 AM

I found a simple work around.

The text box was looking for the exact string, the whole error string. All I had to do was put wild cards on each side of the word I type in.

0 Karma
Reply

sundareshr
Legend
‎06-07-2016 10:42 AM

I assume the token are referring to is $texttok1$. Put it within quotes like this error="$texttok1$"

0 Karma
Reply

vil505
Explorer
‎06-08-2016 08:55 AM

This is the table I see

table.png
Preview file
102 KB
0 Karma
Reply

vil505
Explorer
‎06-08-2016 08:56 AM

This is the table I see. I couldn't post this image into the comments.

0 Karma
Reply

vil505
Explorer
‎06-07-2016 10:48 AM

Still nothing.

Here's the rest of the source code, if it helps at all.

    <panel>
      <input type="time" token="timetok1">
        <label>Select a time range.</label>
        <default>
          <earliest>-15m@m</earliest>
          <latest>now</latest>
        </default>
      </input>
      <input type="dropdown" token="hosttok1">
        <label>Select a host.</label>
        <default>prdctlsstrstp*</default>
        <choice value="prdctlsstrstp*">All</choice>
        <choice value="prdctlsstrstp09">prdctlsstrstp09</choice>
        <choice value="prdctlsstrstp10">prdctlsstrstp10</choice>
        <choice value="prdctlsstrstp11">prdctlsstrstp11</choice>
        <choice value="prdctlsstrstp12">prdctlsstrstp12</choice>
        <choice value="prdctlsstrstp13">prdctlsstrstp13</choice>
        <choice value="prdctlsstrstp14">prdctlsstrstp14</choice>
        <choice value="prdctlsstrstp15">prdctlsstrstp15</choice>
        <choice value="prdctlsstrstp16">prdctlsstrstp16</choice>
        <choice value="prdctlsstrstp17">prdctlsstrstp17</choice>
        <choice value="prdctlsstrstp18">prdctlsstrstp18</choice>
        <choice value="prdctlsstrstp19">prdctlsstrstp19</choice>
        <choice value="prdctlsstrstp20">prdctlsstrstp20</choice>
        <choice value="prdctlsstrstp21">prdctlsstrstp21</choice>
        <choice value="prdctlsstrstp22">prdctlsstrstp22</choice>
        <choice value="prdctlsstrstp23">prdctlsstrstp23</choice>
        <choice value="prdctlsstrstp24">prdctlsstrstp24</choice>
        <choice value="prdctlsstrstp25">prdctlsstrstp25</choice>
        <choice value="prdctlsstrstp26">prdctlsstrstp26</choice>
        <choice value="prdctlsstrstp27">prdctlsstrstp27</choice>
        <choice value="prdctlsstrstp28">prdctlsstrstp28</choice>
        <choice value="prdctlsstrstp29">prdctlsstrstp29</choice>
        <choice value="prdctlsstrstp30">prdctlsstrstp30</choice>
      </input>
      <input type="dropdown" token="sourcetok1">
        <label>Select a directory</label>
        <default>/app/qp/streamerserver/logs/streaming*</default>
        <choice value="/app/qp/streamerserver/logs/streaming*">All</choice>
        <choice value="/app/qp/streamerserver/logs/streaming/1/nohup.out">/app/qp/streamerserver/logs/streaming/1/nohup.out</choice>
        <choice value="/app/qp/streamerserver/logs/streaming/2/nohup.out">/app/qp/streamerserver/logs/streaming/2/nohup.out</choice>
        <choice value="/app/qp/streamerserver/logs/streaming/3/nohup.out">/app/qp/streamerserver/logs/streaming/3/nohup.out</choice>
        <choice value="/app/qp/streamerserver/logs/streaming/4/nohup.out">/app/qp/streamerserver/logs/streaming/4/nohup.out</choice>
      </input>
      <input type="text" token="texttok1">
        <label>Enter an error.</label>
        <default>*</default>
      </input>
      <table>
        <search>
          <query>host=$hosttok1$ "ERROR"  sourcetype=streamer_nohup source=$sourcetok1$| regex _raw!="WARN"| rex "(?&lt;error&gt;\w{5}\s+.{100})"| table _time host source error| search error="$texttok1$"</query>
          <earliest>$timetok1.earliest$</earliest>
          <latest>$timetok1.latest$</latest>
        </search>
        <option name="wrap">false</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
    <panel>
0 Karma
Reply

sundareshr
Legend
‎06-07-2016 11:11 AM

What does the search look like when you click on the little magnifying glass at the bottom of the panel?

<query>host=$hosttok1$ "ERROR"  sourcetype=streamer_nohup source=$sourcetok1$| regex _raw!="WARN"| rex "(?&lt;error&gt;\w{5}\s+.{100})"| table _time host source error| search error=$texttok1$</query>
0 Karma
Reply

vil505
Explorer
‎06-08-2016 08:55 AM

alt text

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top