I have created a lookup table, service.csv
host,service,resource
"host1","fdl","all"
"host2","finance","db"
"host3","campus","web"
"host4","finance","db"
"host5","finance","db"
"host6","finance","app"
"host7","finance","app"
I have created a dashboard with 2 inputs, service and resource, which are both dropdown lists with various options in each, but also with an ALL option with a value of *.
The search linked to this dashboard is as follows:
index="*" source="*secure" ("keyboard")
| lookup "service.csv" host OUTPUT host,service,resource
| where service="$service$" AND resource="$resource$"
| table service,resource,host,source,_raw | sort -_raw
When I select a specific service and a specific resource from the dropdown lists, the search returns the desired results from both the lookup table and the data source. However, when I select the ALL (*) option for either or both lists, it get no results returned.
The search looks like:
index="*" source="*secure" ("keyboard")
| lookup "service.csv" host OUTPUT host,service,resource
| where service="*" AND resource="*"
| table service,resource,host,source,_raw | sort -_raw
Is there a way to resolve this so that I get return the desired results.
How about using search(without AND operator) instead of where?
| search service="*" resource="*"
How about using search(without AND operator) instead of where?
| search service="*" resource="*"
Sooooo simple!!. Thank you.