Solved: Why does the field town not exist in my events whe...

jip31 · ‎03-27-2022

Hello

I use an input text token in my search like this

town=$town$

By defaut, town = *

The problem is that sometimes the field town doesnt exist in my events

When i chose * i would be able to retrieve this kind of évents? Is it possible ? Thanks

kamlesh_vaghela · ‎03-27-2022

@jip31

You can set condition on change of text field to achieve it.

Try this example.

<form>
  <label>Search By Value or All Events</label>
  <fieldset submitButton="false">
    <input type="text" token="town" searchWhenChanged="true">
      <label>field1</label>
      <change>
        <condition match="$value$==&quot;*&quot;">
          <set token="cond"></set>
        </condition>
        <condition>
          <set token="cond">| search town="$value$"</set>
        </condition>
      </change>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>$cond$</title>
      <table>
        <search>
          <query>| makeresults count=10 | eval a = 1 | accum a | eval town = if(a%2==0,"town".a,null()) $cond$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Thanks
KV

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela · ‎03-27-2022

@jip31

You can set condition on change of text field to achieve it.

Try this example.

<form>
  <label>Search By Value or All Events</label>
  <fieldset submitButton="false">
    <input type="text" token="town" searchWhenChanged="true">
      <label>field1</label>
      <change>
        <condition match="$value$==&quot;*&quot;">
          <set token="cond"></set>
        </condition>
        <condition>
          <set token="cond">| search town="$value$"</set>
        </condition>
      </change>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>$cond$</title>
      <table>
        <search>
          <query>| makeresults count=10 | eval a = 1 | accum a | eval town = if(a%2==0,"town".a,null()) $cond$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Thanks
KV

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

yuanliu · ‎03-27-2022

This is a great example to illustrate the caution of using field name in index search. Yes, it is possible to find events in which town is absent with a wildcard token. But the logic can be a little awkward.

If the requirement is to include those townless events always, you can say (town=$town$ OR NOT town=*). But I sense that you really want townless only if $town$ is *. In this case, you have to use a second filter, like

(town=$town$ OR NOT town=*)
| where "$town$" == "*" OR isnotnull(town)

Why does the field town not exist in my events when using input text token in my search?

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Are you a member of the Splunk Community?

Why does the field town not exist in my events when using input text token in my search?

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025