Re: how to search based on optional text fields?

rarangarajanspl · ‎05-15-2020

I have couple of text boxes (Tracking no and Track Type) in my bashboard and both are optional.

<fieldset submitButton="true" autoRun="false">
    <input type="text" token="TrackingNo">
      <label>Tracking Number</label>
      <default></default>
      <change>
        <condition value="">
          <set token="TrackingNo">*</set>
        </condition>
      </change>
    </input>
    <input type="text" token="Tracktype">
      <label>Tracktype</label>
      <default></default>
      <change>
        <condition value="">
          <set token="Tracktype">*</set>
        </condition>
      </change>
    </input>
  </fieldset>

Scenario 1: Once the user clicks submit button with out any input, dashboard should display all the data.
Scenario 2: By giving both values, it should fetch all the records exactly matching with Tracking no and Track Type
Scenario 3: By giving only Track no, it should fetch all the records matching with Tracking no, irrespective of Track type (With above simple XML code, track type is supplied as . )
*Scenario 4:** By giving only Track type, it should fetch all the records matching with Tracking type, irrespective of Track no. (With above simple XML code, Tracking no is supplied as *. )

Please help me to construct the search query

gcusello · ‎05-17-2020

Hi @rarangarajansplunk,
if Track_No and Track_Type are present in all events, you can use " * " as default value.

There's a problem if one of the above fields is missed in some events, because the default condition field=* excludes events without this field (you have this problem in 1, 3 and 4 case).

So, in this second case, (if acceptable for you) you could use a more complicated default values (e.g. Track_Type=* OR NOT Track_Type=* ).

Ciao.
Giuseppe

how to search based on optional text fields?

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!