Hi experts,
I want to enable case sensitive for values in dashboard.
I do not want to combine varied cases in one.
index="index_test1" sourcetype="st_test1" MyStatus="Failed" $source_tok$ $hostname_token$ |stats count
The above search should treat upper case and lower case for $source_tok$ differently.
Please help.
Thank you.
Try this
index="index_test1" sourcetype="st_test1" MyStatus="Failed" source=$source_tok$ $hostname_token$ | where source=$source_tok$ | stats count
Now the count is right. But will this where cluase effect the count as search has to consider the second token $hostname_token$ aswell?
index="index_test1" sourcetype="st_test1" MyStatus="Failed" source=$source_tok$ $hostname_token$ | where source=$source_tok$ | stats count
You can add host name as well.
index="index_test1" sourcetype="st_test1" MyStatus="Failed" source=$source_tok$ host=$hostname_token$ | where source=$source_tok$ AND host=$hostname_token$ | stats count
Thank you. This will help. I am curious to know how where clause is making it case sensitive?
search is case in-sensitive and where is case-sensitive. The reason you have the token values before the where clause is to make the search more efficient. Limit the results to only matching source case insensitive and then further filter it in the where
Based on what goes in your token $source_tok$ (whether its just some string OR fieldname=value format), you can use CASE function of the search command (works in | search
and base search), like this
index="index_test1" sourcetype="st_test1" MyStatus="Failed" CASE($source_tok$) $hostname_token$ |stats count
If your $source_tok$ is in format source="somevalue", update the form input to include CASE while setting the token.
Hi Somesoni2,
CASE is not working for me. |stats count
is returning 0 values.
But i found the following description for CASE which has the functionality other than case sensitivity.
This function takes pairs of arguments X and Y. The X arguments are Boolean expressions that will be evaluated from first to last. When the first X expression is encountered that evaluates to TRUE, the corresponding Y argument will be returned. The function defaults to NULL if none are true.
The case that you're seeing is for eval
command, the One I;m talking to is works with search
command.
http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Search#Search_with_CASE.28.29
Could you post from where the token $source_tok$ is being populated and what value it holds?
$source_tok$ comes from a drop down. It returns souce="some value".I want to treat "some value" as case sensitive in the dasboard.The dashboard gets filled on the basis of drop down selection.
You would need to update your dropdown code to include the CASE function.
<input type="dropdown" token="source_tok">
<label>Select a source</label>
..other settings...
<prefix>source=CASE(</prefix>
<suffix>)</suffix>
..other settings...
</input>
OR just remove both prefix and suffix, and update your search to use source=$source_tok$
instead of just $source_tok$.
Thank you. I will try this.
Is there any way to refresh the panel in the dasboard whenever I select an option in drop down? I want the panel should be in page-1 when I make a selection in drop down.
Add the option searchWhenChanged as true in the xml (OR check the "Search When changed" checkbox")
Hi somesoni2,
I do not see any "Search when Changed" option for panel.
This option is already enabled for drop down.
No matter on which page the table on panel is, it should come to first page when i make a different selection on drop down.
$source_tok$ comes from a drop down. It returns souce="some value".
I want to treat "some value" as case insensitive in the dasboard.
The dashboard gets filled on the basis of drop down selection.