Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to search based on optional text fields?

rarangarajanspl
Explorer
‎05-15-2020 11:53 AM

I have couple of text boxes (Tracking no and Track Type) in my bashboard and both are optional. 

<fieldset submitButton="true" autoRun="false">
    <input type="text" token="TrackingNo">
      <label>Tracking Number</label>
      <default></default>
      <change>
        <condition value="">
          <set token="TrackingNo">*</set>
        </condition>
      </change>
    </input>
    <input type="text" token="Tracktype">
      <label>Tracktype</label>
      <default></default>
      <change>
        <condition value="">
          <set token="Tracktype">*</set>
        </condition>
      </change>
    </input>
  </fieldset>

Scenario 1: Once the user clicks submit button with out any input, dashboard should display all the data.
Scenario 2: By giving both values, it should fetch all the records exactly matching with Tracking no and Track Type
Scenario 3: By giving only Track no, it should fetch all the records matching with Tracking no, irrespective of Track type (With above simple XML code, track type is supplied as . )
*Scenario 4:** By giving only Track type, it should fetch all the records matching with Tracking type, irrespective of Track no. (With above simple XML code, Tracking no is supplied as *. )

Please help me to construct the search query

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-17-2020 02:27 AM

Hi @rarangarajansplunk,
if Track_No and Track_Type are present in all events, you can use " * " as default value.

There's a problem if one of the above fields is missed in some events, because the default condition field=* excludes events without this field (you have this problem in 1, 3 and 4 case).

So, in this second case, (if acceptable for you) you could use a more complicated default values (e.g. Track_Type=* OR NOT Track_Type=* ).

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What did the zero say to the eight?

June 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...