Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About smanojkumar
smanojkumar
Contributor
Member since:
07-16-2021
07-14-2025
Community Statistics
| Posts | 178 |
| Solutions | 0 |
| Karma Given | 46 |
| Karma Received | 0 |
| Member Since | 07-16-2021 |
Activity Feed
- Posted Re: comparing the data of lookup with index data and extrcat the info from Index on Splunk Search. 05-30-2025 01:33 AM
- Posted Re: comparing the data of lookup with index data and extrcat the info from Index on Splunk Search. 05-29-2025 03:34 AM
- Posted Re: comparing the data of lookup with index data and extrcat the info from Index on Splunk Search. 05-28-2025 05:45 AM
- Posted Re: comparing the data of lookup with index data and extrcat the info from Index on Splunk Search. 05-28-2025 03:52 AM
- Posted Re: comparing the data of lookup with index data and extrcat the info from Index on Splunk Search. 05-28-2025 02:45 AM
- Posted Re: comparing the data of lookup with index data and extrcat the info from Index on Splunk Search. 05-27-2025 09:34 PM
- Posted comparing the data of lookup with index data and extrcat the info from Index on Splunk Search. 05-27-2025 09:45 AM
- Posted Re: Back fill of data in timerange on Splunk Search. 03-03-2025 03:49 AM
- Posted Re: Back fill of data in timerange on Splunk Search. 03-03-2025 03:21 AM
- Posted Back fill of data in timerange on Splunk Search. 03-03-2025 02:16 AM
- Posted Re: Display Dashboard in Stacked row on Splunk Search. 02-11-2025 03:41 AM
- Posted Display Dashboard in Stacked row on Splunk Search. 02-11-2025 03:29 AM
- Posted Re: How to use substr or regex to extract part of text on Splunk Search. 02-07-2025 03:34 AM
- Karma Re: Adding zoom in option to timeline chart for ITWhisperer. 02-07-2025 02:11 AM
- Posted Re: Passing a mutiple values of label in input dropdown on Splunk Search. 12-08-2024 11:05 PM
- Posted Re: Passing a mutiple values of label in input dropdown on Splunk Search. 12-05-2024 08:43 PM
- Posted Passing a mutiple values of label in input dropdown on Splunk Search. 12-04-2024 08:11 PM
- Posted Issues in multiselect input dropdown on Splunk Search. 12-04-2024 02:03 AM
- Karma Re: Adding zoom in option to timeline chart for bowesmana. 11-14-2024 08:55 PM
- Posted Re: Adding zoom in option to timeline chart on Splunk Search. 11-14-2024 01:17 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-30-2025
01:33 AM
Hello @PickleRick , I have an alert which run on every 5mins, there are data from 23 index, which indexes are meeting the criterion that have been created as an alert, on the same index i need to ran diffrerent search to know the error message and match the event with the time stamp with an deviation of +0.5 Sec or -0.5 sec in the event and need to show the results in an another alert. Please let me know if there are anything. Thanks!
... View more
05-29-2025
03:34 AM
Hi @gcusello , As you see in 3rd screenshot, the smaple time that i have ingested is 2025-05-27 17:38:07.991, but in the 2nd screenshot the time stamp chnaged to 2025-05-23 05:25:50.795 in the field name Loo_time in the results , I dont know the reason. also I have use only epoch time from the lookup while comparing with index data which is already in epoch time. This was my only concern, Can you please help me to fix this. Thanks!
... View more
05-28-2025
05:45 AM
Hello @gcusello , If you mean with multiple values from Lookup, I didnt tried. I would like to check the time from lookup with index timestamp events of deviation +0.5Sec or -0.5Sec from the time in index and i need to show the result. Please let me know if there are any other way to do it. Thanks!
... View more
05-28-2025
03:52 AM
Hello @gcusello , I was just testing with single value, Obviously it will be dynamic. Thanks again!
... View more
05-28-2025
02:45 AM
Hello @gcusello & @PickleRick , Thanks for your time! I have converted both index time and Lookup time to epoch. It seems perfect with makeresults but while I'm using index data the time stamps were changed to an another new value in the search, I herewith attched the snap of makeresults where its workign fine, and the other snaps as well, Please let me know if i missed anything. Thanks!
... View more
05-27-2025
09:34 PM
Hello @PickleRick , I have tried implementing that, the timetsamp in lookup is not correctly passed in this search, I was bit confused. Whatever the lookup has in timestamp value, it was passed as diffrent value in the search, I feels strange. please let me know if i have missed anything. Thanks!
... View more
05-27-2025
09:45 AM
index=*sap sourcetype=FSC* | fields _time index Eventts ID FIELD_02 FIELD_01 CODE ID FIELD* source | rex field=index "^(?<prefix>\d+_\d+)" | lookup lookup_site_ids.csv prefix as prefix output name as Site | eval name2=substr(Site,8,4) | rex field=Eventts "(?<Date>\d{4}-\d{2}-\d{2})T(?<Time>\d{2}:\d{2}:\d{2}\.\d{3})" | fields - Eventts | eval timestamp = Date . " " . Time | eval _time = strptime(timestamp, "%Y-%m-%d %H:%M:%S.%3N") | eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S.%3N"), Condition="test" | eval Stamp = strftime(_time, "%Y-%m-%d %H:%M:%S.%3N") | lookup Stoppage.csv name as Site OUTPUT Condition Time as Stamp | search Condition="Stoppage" | where Stamp = Time | eval index_time = strptime(Time, "%Y-%m-%d %H:%M:%S.%3N") | eval lookup_time = strftime(Stamp, "%Y-%m-%d %H:%M:%S.%3N") | eval CODE=if(isnull(CODE),"N/A",CODE), FIELD_01=if(isnull(FIELD_01),"N/A",FIELD_01), FIELD_02=if(isnull(FIELD_02),"N/A",FIELD_02) | lookup code_translator.csv FIELD_01 as FIELD_01 output nonzero_bits as nonzero_bits | eval nonzero_bits=if(FIELD_02="ST" AND FIELD_01="DA",nonzero_bits,"N/A") | mvexpand nonzero_bits | lookup Decomposition_File.csv Site as name2 Alarm_bit_index as nonzero_bits "Componenty_type_and_CODE" as CODE "Component_number" as ID output "Symbolic_name" as Symbolic_name Alarm_type as Alarm_type Brief_alarm_description as Brief_alarm_description Alarm_solution | eval Symbolic_name=if(FIELD_01="DA",Symbolic_name,"N/A") , Brief_alarm_description=if(FIELD_01="DA",Brief_alarm_description,"N/A") , Alarm_type=if(FIELD_01="DA",Alarm_type,"N/A") , Alarm_solution=if(FIELD_01="DA",Alarm_solution,"N/A") | fillnull value="N/A" Symbolic_name Brief_alarm_description Alarm_type | table Site Symbolic_name Brief_alarm_description Alarm_type Alarm_solution Condition Value index_time Time _time Stamp lookup_time
... View more
Labels
- Labels:
-
other
03-03-2025
03:49 AM
Hello @ITWhisperer , Thanks for asking! You are right.., It will be like, the next event will be received within 3 days, it wont take more time at wrost cases. I'm using those values in the chart, when we are searching with less time range, I can't see the logs of the timerange in that time range because of the gap in logs, I have listed two scenarious, As per the scenario1, The perevious value is just a opposite value of the next one. Scenario 2 is bit hard, having multiple values, which can be generated before 3 days at wrost cases. Thansk!
... View more
03-03-2025
03:21 AM
Hello @ITWhisperer , Thanks for your reply. 17:54:01 - System reset 22:09:04 - System Stop 23:01:01 - System Started 01:01:01 - System Stop In case of from 21:00, I need to take as System reset and followed by other values. Actually I just need to fill the value, even the logs weren't there in teh selcted timerange. Thanks!
... View more
03-03-2025
02:16 AM
Hello Splunkers, I'm having a logs which will be generated only where there is change in system, 6:01:01 - System Stop 10:54:01 - System Start 13:09:04 - System Stop 16:01:01 - System Start 17:01:01 - System Stop These are the logs. Lets say If I'm searchit it in a chart, for the timerange from 7Am - 4Pm the chart from 8Am until 10:54:01 Am is empty since the previous event was generated at 6:01:01, so there is a gap. I would like to fix this. In some cases only 2 values is been repeated, so we can take the one in present, the past can be its opposite. Eg - At 10:54:01 - System Start, We have received this log, where the system is start, the previous one will be stop. These are fixed for some cased, I need two best solutions, only for this scenario, other for multiple values, like these 14:01:01 - System Started 17:54:01 - System reset 22:09:04 - System Stop 23:01:01 - System Started 01:01:01 - System Stop wheres here I'm getting three values like Started, Stop and reset. Thanks in Advance!
... View more
02-11-2025
03:41 AM
Hi @livehybrid , Thanks for your response! The panels in right side weren't visible <row> <panel> <title>Panel 1</title> <table> <search> <query>| makeresults | eval name="p1"</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> </table> </panel> <column> <row> <panel> <title>Panel 2</title> <table> <search> <query>| makeresults | eval name="p2"</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel> <title>Panel 3</title> <table> <search> <query>| makeresults | eval name="p3"</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </column> </row> Please try this. Thanks!
... View more
02-11-2025
03:29 AM
Hello There, I'm having 3 panles, where i need to display panel 1 in left side, In the same row I need to display Panle 2 and Panel 3 in left side in a stacked way. Is there is possibel way in Classic dashboard in Splunk? | Left | Top-Right | | Panel |---------- | | | Bot-Right| Looking forward for the resposne. Thanks!
... View more
02-07-2025
03:34 AM
Hello @vvkarur , You can try this regex | rex field=_raw "\"role\":\"(?<field_name>\w+)\"" Thanks!
... View more
12-08-2024
11:05 PM
Hi @yuanliu ,
Thanks for your reply. Sorry for not briefing it properly. 1. data input is from lookup site_ids.csv is displayname prefix abc12 23456789
qwe14 78945612
rty12 12356789
yuui13 56897412 Here I need to display displayname field value in input dropdown as a multi select value, also I would like to pass label that is prefix to my search as well. lets say, If i select displayname fields values as
abc12
qwe14
rty12 I need to see these values in input dropdown and need to pass the below prefix to the search in dashboard panel
23456789 78945612 12356789 as ("23456789", "78945612","12356789 "), which needs to be used in IN command Here is the search where i will be using the prefix token in search
index=abc sourcetype=sc*
| fields _time index Eventts FIELD* source IPC
| search IPC IN ($my_token$)
| fields - source
Hope I'm clear now, please let me know if there are anything. Thanks!
... View more
12-05-2024
08:43 PM
Hello @yuanliu , Thanks for your reply. Already the query of input dropdown can pass multiselect values, here I'm having two field values one id for field for label and another one is for field for value. I need to pass field for value to the search, which is working fine in the current search, But i need to pass field for label values to the search, where us its a multi select values. Please let me know if i missed anything. Thanks!
... View more
12-04-2024
08:11 PM
Hello There, I would like to pass mutiple values in label, Where in the current search i can able to pass onlu one values at a time,
<input type="multiselect" token="siteid" searchWhenChanged="true">
<label>Site</label>
<choice value="*">All</choice>
<choice value="03">No Site Selected</choice>
<fieldForLabel>displayname</fieldForLabel>
<fieldForValue>prefix</fieldForValue>
<search>
<query>
| inputlookup site_ids.csv
|search displayname != "ABCN8" AND displayname != "ABER8" AND displayname != "AFRA7" AND displayname != "AMAN2"
</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<delimiter>_fc7 OR index=</delimiter>
<suffix>_fc7</suffix>
<default>03</default>
<initialValue>03</initialValue>
<change>
<eval token="form.siteid">case(mvcount('form.siteid') == 2 AND mvindex('form.siteid', 0) == "03", mvindex('form.siteid', 1), mvfind('form.siteid', "\\*") == mvcount('form.siteid') - 1, "03", true(), 'form.siteid')</eval>
</change>
<change>
<set token="tokLabel">$label$</set>
</change>
</input>
I need to pass this label value as well, which is a multiselect value. Thanks!
... View more
12-04-2024
02:03 AM
Hello There, I'm hvaing issues in multiselect input dropdown
<input type="multiselect" token="siteid" searchWhenChanged="true">
<label>Site</label>
<choice value="*">All</choice>
<choice value="03">No Site Selected</choice>
<fieldForLabel>displayname</fieldForLabel>
<fieldForValue>prefix</fieldForValue>
<search>
<query>
| inputlookup site_ids.csv
| search displayname != "ABN8" AND displayname != "ABR8" AND displayname != "ABRA7" AND displayname != "ABMAN2"
</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<delimiter>_fc7 OR index=</delimiter>
<suffix>_fc7</suffix>
<default>03</default>
<initialValue>03</initialValue>
<change>
<eval token="form.siteid">case(mvcount('form.siteid') == 2 AND mvindex('form.siteid', 0) == "03", mvindex('form.siteid', 1), mvfind('form.siteid', "\\*") == mvcount('form.siteid') - 1, "03", true(), 'form.siteid')</eval>
</change>
</input>
<input type="multiselect" token="system_number" searchWhenChanged="true">
<label>Node</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>Node</fieldForLabel>
<fieldForValue>sys_number</fieldForValue>
<change>
<eval token="form.system_number">case(mvcount('form.system_number') == 2 AND mvindex('form.system_number', 0) == "*", mvindex('form.system_number', 1), mvfind('form.system_number', "\\*") == mvcount('form.system,_number') - 1, "*", true(), 'form.system_number')</eval>
</change>
<search>
<query>| inputlookup node.csv
| fields site prefix Node sys_number
| eval token_value = "$siteid$"
| eval site_val = if(match(token_value, "OR\s*index="), split(replace(token_value, "\s*OR\s*index=\s*", ","), ","), token_value)
| where prefix=site_val
| dedup Node
| table Node sys_number</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<prefix>"</prefix>
<suffix>"</suffix>
<valueSuffix>","</valueSuffix>
<delimiter> </delimiter>
</input>
the problem here is, I need to have field for label as Node but , When I'm selecting an value in siteid, then selecting a value in Node, after that selecting the secong value in Siteid, the node change its value to sys_number, but actually it should be Node, as we mentioned fields label as Node only but it changes to sys_number. this only happens after selecting any values in Node, if we select values in siteid, the Node behaved wierd. Other eise its fine, Thanks!
... View more
11-14-2024
01:17 AM
Hi @bowesmana & @ITWhisperer ,
Thanks for your reply! I have tried using selection but facing some error even after this warning this is not working. "Invalid child="selection" is not allowed in node="viz" "
<row>
<panel>
<title>status</title>
<viz type="timeline_app.timeline">
<search>
<query>index=$siteid$ sourcetype=logs* CAT IN ("TAT") _raw=*** (NOT CODE=* OR CODE IN ("T11"))
| head 100000
| eval Eventts_date=substr(Eventts,1,10)
| eval Eventts_time=substr(Eventts,12,8)
| eval Eventts_new=Eventts_date." ".Eventts_time
| eval _timee=strptime(Eventts_new,"%Y-%m-%d %H:%M:%S.%6N")
| fillnull value="N/A"
.............................
| eval displayname="Operational".displayname
| table _time displayname FIELD_01 duration
| append
[ search index=$siteid$ sourcetype=FSC* CAT IN ("ST") _raw=*** (NOT CODE=* OR CODE IN ("Ad13"))
| head 100000
| eval Eventts_date=substr(Eventts,1,10)
| eval Eventts_time=substr(Eventts,12,8)
| eval Eventts_new=Eventts_date." ".Eventts_time
| eval _timee=strptime(Eventts_new,"%Y-%m-%d %H:%M:%S.%6N")
..............................
| table _time displayname FIELD_01 duration
]
</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
<option name="height">460</option>
<option name="refresh.display">progressbar</option>
<option name="timeline_app.timeline.axisTimeFormat">SECONDS</option>
<option name="timeline_app.timeline.colorMode">categorical</option>
<option name="timeline_app.timeline.maxColor">#DA5C5C</option>
<option name="timeline_app.timeline.minColor">#FFE8E8</option>
<option name="timeline_app.timeline.numOfBins">6</option>
<option name="timeline_app.timeline.tooltipTimeFormat">SECONDS</option>
<option name="timeline_app.timeline.useColors">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<selection>
<set token="selection.earliest">$start$</set>
<set token="selection.latest">$end$</set>
<set token="start.count">$start.count$</set>
<set token="end.count">$end.count$</set>
</selection>
<drilldown><link target="_blank">search?q=
<query>index=$siteid$ sourcetype=FSC* CAT IN ("TAT") _raw=*** (NOT CODE=* OR MARKCODE IN ("TZ11"))
| head 100000
| where _time >= $selection.earliest$ AND _time ?<= $selection.latest$
| eval Eventts_date=substr(Eventts,1,10)
| eval Eventts_time=substr(Eventts,12,8)
| eval Eventts_new=Eventts_date." ".Eventts_time
| eval _timee=strptime(Eventts_new,"%Y-%m-%d %H:%M:%S.%6N")
..................
| table _time displayname FIELD_01 duration
| append
[ search index=$siteid$ sourcetype=FSC* CAT IN ("ST") _raw=*** (NOT CODE=* OR CODE IN ("Ak03"))
| head 100000
| eval Eventts_date=substr(Eventts,1,10)
| eval Eventts_time=substr(Eventts,12,8)
| eval Eventts_new=Eventts_date." ".Eventts_time
| eval _timee=strptime(Eventts_new,"%Y-%m-%d %H:%M:%S.%6N")
............................................
| eval displayname="Maintenance".displayname
| table _time displayname FIELD_01 duration
]
</query></link></drilldown>
</viz>
</panel>
</row>
... View more
11-13-2024
04:11 AM
Hello All, I'm having a timeline chart, I would like to add zoom in to this chart when we drang and select some lines, it needs to zoom. Can anyone hekp to find this. Thanks in Advance!
... View more
Labels
- Labels:
-
chart
11-12-2024
04:01 AM
Hello Splunkers,
I'm getting proper results without any selction in input dropdown, I can able to download the results of that particular table but when I'm making any selection in dahsboard, since its having the base search, its loading results will all fields in base search rather than the fields mentioned in that table. here is the query,
<panel>
<title>Raw Data</title>
<!-- HTML Panel for Spinner -->
<input type="text" token="value" searchWhenChanged="true">
<label>Row Data per Page</label>
<default>20</default>
<initialValue>20</initialValue>
</input>
<input type="radio" token="field3" searchWhenChanged="true">
<label>Condition_1</label>
<choice value="=">Contains</choice>
<choice value="!=">Does Not Contain</choice>
<default>=</default>
<initialValue>=</initialValue>
</input>
<input type="text" token="search" searchWhenChanged="true">
<label>All Fields Search_1</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>"*</prefix>
<suffix>*"</suffix>
</input>
<input type="checkbox" token="field4">
<label>Add New Condition</label>
<choice value="0">Yes</choice>
</input>
<input type="dropdown" token="field5" searchWhenChanged="true" depends="$field4$">
<label>Expression</label>
<choice value="AND">AND</choice>
<choice value="OR">OR</choice>
<default>AND</default>
<initialValue>AND</initialValue>
</input>
<input type="radio" token="field6" searchWhenChanged="true" depends="$field4$">
<label>Condition_2</label>
<choice value="=">Contains</choice>
<choice value="!=">Does Not Contain</choice>
<default>=</default>
<initialValue>=</initialValue>
</input>
<input type="text" token="search2" searchWhenChanged="true" depends="$field4$">
<label>All Fields Search_2</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>"*</prefix>
<suffix>*"</suffix>
</input>
<html>
<a class="btn btn-primary" role="button" href="/api/search/jobs/$export_sid$/results?isDownload=true&timeFormat=%25FT%25T.%25Q%25%3Az&maxLines=0&count=0&filename=Event_Logs&outputMode=csv">Download CSV</a>
</html>
<html depends="$showSpinner3$">
<!-- CSS Style to Create Spinner using animation -->
<style>
.loadSpinner {
margin: 0 auto;
border: 5px solid #FFF; /* White BG */
border-top: 5px solid #3863A0; /* Blue */
border-radius: 80%;
width: 50px;
height: 50px;
animation: spin 1s linear infinite;
}
@keyframes spin {
0% { transform: rotate(0deg); }
100% { transform: rotate(360deg); }
}
<!-- CSS override to hide default Splunk Search Progress Bar -->
#panel1 .progress-bar{
visibility: hidden;
}
</style>
<div class="loadSpinner"/>
</html>
<table>
<search base="base_search_index">
<progress>
<!-- Set the token to Show Spinner when the search is running -->
<set token="showSpinner3">true</set>
</progress>
<done>
<!-- Unset the token to Hide Spinner when the search completes -->
<unset token="showSpinner3"></unset>
</done>
<query>| sort _time |eval _raw=displayname.","._raw
| table _raw
| appendpipe
[| stats count
| where count == 0
| eval _raw="No Data Found for selected time and filters"
| table _raw ]</query>
<done>
<set token="export_sid">$job.sid$</set>
</done>
</search>
<option name="count">$value$</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="_raw">
<colorPalette type="map">{"No Data Found for selected time and filters":#D41F1F}</colorPalette>
</format>
</table>
</panel>
... View more
11-11-2024
03:18 AM
Hello Splunkers,
I have created a input dropdown where i need to reset all input drodpdown irrespective of the selections made to the default value of the fields. Here i can chnage the values that were passed to the search but I weren't unable to change the values that were present in input dropdown.
<input type="radio" token="field3" searchWhenChanged="true">
<label>Condition_1</label>
<choice value="=">Contains</choice>
<choice value="!=">Does Not Contain</choice>
<default>=</default>
<initialValue>=</initialValue>
</input>
<input type="text" token="search" searchWhenChanged="true">
<label>All Fields Search_1</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>"*</prefix>
<suffix>*"</suffix>
</input>
<input type="checkbox" token="field4">
<label>Add New Condition</label>
<choice value="1">Yes</choice>
</input>
<input type="dropdown" token="field5" searchWhenChanged="true" depends="$field4$" rejects="$reset_all_field_search$">
<label>Expression</label>
<choice value="AND">AND</choice>
<choice value="OR">OR</choice>
<default>AND</default>
<initialValue>AND</initialValue>
</input>
<input type="radio" token="field6" searchWhenChanged="true" depends="$field4$" rejects="$reset_all_field_search$">
<label>Condition_2</label>
<choice value="=">Contains</choice>
<choice value="!=">Does Not Contain</choice>
<default>=</default>
<initialValue>=</initialValue>
</input>
<input type="text" token="search2" searchWhenChanged="true" depends="$field4$" rejects="$reset_all_field_search$">
<label>All Fields Search_2</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>"*</prefix>
<suffix>*"</suffix>
</input>
<input type="checkbox" token="field14" depends="$field4$">
<label>Add New Condition</label>
<choice value="1">Yes</choice>
</input>
<input type="dropdown" token="field15" searchWhenChanged="true" depends="$field14$" rejects="$reset_all_field_search$">
<label>Expression</label>
<choice value="AND">AND</choice>
<choice value="OR">OR</choice>
<default>AND</default>
<initialValue>AND</initialValue>
</input>
<input type="radio" token="field16" searchWhenChanged="true" depends="$field14$" rejects="$reset_all_field_search$">
<label>Condition_3</label>
<choice value="=">Contains</choice>
<choice value="!=">Does Not Contain</choice>
<default>=</default>
<initialValue>=</initialValue>
</input>
<input type="text" token="search12" searchWhenChanged="true" depends="$field14$" rejects="$reset_all_field_search$">
<label>All Fields Search_3</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>"*</prefix>
<suffix>*"</suffix>
</input>
<input type="checkbox" token="reset_all_field_search" searchWhenChanged="true">
<label>Reset All field search</label>
<choice value="reset_all_field_search">Yes</choice>
<delimiter> </delimiter>
<change>
<condition value="reset_all_field_search">
<unset token="search"></unset>
<set token="search">*</set>
<unset token="search2"></unset>
<set token="search2">*</set>
<unset token="search12"></unset>
<set token="search12">*</set>
<unset token="field4"></unset>
<set token="field4">*</set>
<unset token="field5"></unset>
<set token="field5">*</set>
</condition>
</change>
</input>
please help me to fix this. Thanks!
... View more
11-04-2024
10:23 PM
Hello @zksvc , Thanks again! I'm facing error in this line "unbalanced quotes" | eval lengths = mvmap(code_list, len(trim('code_list', '"'))) So ihave modified this as | eval lengths = mvmap(code_list, len(trim('code_list', "\""))) though eval is not accepting "*" as a token value in code. Thanks!
... View more
11-04-2024
07:25 PM
Hello @zksvc , Thanks for your prompt response and Thanks for your time! It works but my token value will be enclosed with ("token_value"), Lets say token and results can be Token Result Reason ("*") value_1 Since the length of "*" is 1, we need pass value1 ( "abc") value_2 Since the length of "abc" is 3, we need pass value2 ("ajd","abc","sd") value_2 Since the length of "ajd" is 3, we need pass value2 The purpose of this is, My use case is to find wheather the token consists of "*" in it or not, Since its a inputdropdown of multivalue field, If i use mv commands it only works for multivalues but at some cases we will be getting single value from the input dropdown, So i need a condition to work in both the cases. Thanks!
... View more
11-04-2024
06:59 PM
Hello There, I would like to pass two diffrent values as a token, the search consists of code as a token, where code field can be single values or with multiple values, we need to calculate the length and if the length is equal to 1, then we need pass value_1., if the length is greater than 1, then we need to pass value_2 in a new token, index=03_f123456 sourcetype=logs* (CODE IN ($code$)) | eval x=len($code$) | eval y=if(x=1,"value_1",value_2") |dedup y |table y Thanks in advance!
... View more
- Tags:
- search
10-29-2024
08:58 PM
Hello @ITWhisperer , Hope i have added more information, please let me know if i need to add any other info. Actual need is, I'm having a field where sometimes i will get empty value, When i'm selecting All in input drodown the values can be anything, it can be empty as well but when we choose any specific value in input drodown, we don't need to consider empty values, so I planned to create 2 base searches, one is when we choose all in input drodown, other is when we choose any values apart from All in input drodown, Since when we are choosing any other values in input drodown, we can use | where isnotnull(field_name) | head 10000 which is not needed when we are selecting all in inputdrodown, since the data volume is huge . thanks! thanks!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-14-2025
11:55 PM
|
