Splunk Search

Why does the field town not exist in my events when using input text token in my search?

jip31
Motivator

Hello

I use an input text token in my search like this

town=$town$

By defaut, town = *

The problem is that sometimes the field town doesnt exist in my events

When i chose * i would be able to retrieve this kind of évents? Is it possible ? Thanks

Labels (1)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jip31 

You can set condition on change of text field to achieve it.

Try this example.

<form>
  <label>Search By Value or All Events</label>
  <fieldset submitButton="false">
    <input type="text" token="town" searchWhenChanged="true">
      <label>field1</label>
      <change>
        <condition match="$value$==&quot;*&quot;">
          <set token="cond"></set>
        </condition>
        <condition>
          <set token="cond">| search town="$value$"</set>
        </condition>
      </change>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>$cond$</title>
      <table>
        <search>
          <query>| makeresults count=10 | eval a = 1 | accum a | eval town = if(a%2==0,"town".a,null()) $cond$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

 

Thanks
KV


If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jip31 

You can set condition on change of text field to achieve it.

Try this example.

<form>
  <label>Search By Value or All Events</label>
  <fieldset submitButton="false">
    <input type="text" token="town" searchWhenChanged="true">
      <label>field1</label>
      <change>
        <condition match="$value$==&quot;*&quot;">
          <set token="cond"></set>
        </condition>
        <condition>
          <set token="cond">| search town="$value$"</set>
        </condition>
      </change>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>$cond$</title>
      <table>
        <search>
          <query>| makeresults count=10 | eval a = 1 | accum a | eval town = if(a%2==0,"town".a,null()) $cond$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

 

Thanks
KV


If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

yuanliu
SplunkTrust
SplunkTrust

This is a great example to illustrate the caution of using field name in index search.  Yes, it is possible to find events in which town is absent with a wildcard token.  But the logic can be a little awkward.

If the requirement is to include those townless events always, you can say (town=$town$ OR NOT town=*).  But I sense that you really want townless only if $town$ is *.  In this case, you have to use a second filter, like

(town=$town$ OR NOT town=*)
| where "$town$" == "*" OR isnotnull(town)

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...