Dashboards & Visualizations

enable case sensitive for values in dashboard.

email2vamsi
Explorer

Hi experts,
I want to enable case sensitive for values in dashboard.
I do not want to combine varied cases in one.

index="index_test1" sourcetype="st_test1" MyStatus="Failed" $source_tok$ $hostname_token$ |stats count

The above search should treat upper case and lower case for $source_tok$ differently.

Please help.

Thank you.

Tags (2)
0 Karma

sundareshr
Legend

Try this

index="index_test1" sourcetype="st_test1" MyStatus="Failed" source=$source_tok$ $hostname_token$ | where source=$source_tok$ | stats count
0 Karma

email2vamsi
Explorer

Now the count is right. But will this where cluase effect the count as search has to consider the second token $hostname_token$ aswell?

index="index_test1" sourcetype="st_test1" MyStatus="Failed" source=$source_tok$ $hostname_token$ | where source=$source_tok$ | stats count

0 Karma

sundareshr
Legend

You can add host name as well.

index="index_test1" sourcetype="st_test1" MyStatus="Failed" source=$source_tok$ host=$hostname_token$ | where source=$source_tok$ AND host=$hostname_token$ | stats count

0 Karma

email2vamsi
Explorer

Thank you. This will help. I am curious to know how where clause is making it case sensitive?

0 Karma

sundareshr
Legend

search is case in-sensitive and where is case-sensitive. The reason you have the token values before the where clause is to make the search more efficient. Limit the results to only matching source case insensitive and then further filter it in the where

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Based on what goes in your token $source_tok$ (whether its just some string OR fieldname=value format), you can use CASE function of the search command (works in | search and base search), like this

index="index_test1" sourcetype="st_test1" MyStatus="Failed" CASE($source_tok$) $hostname_token$ |stats count

If your $source_tok$ is in format source="somevalue", update the form input to include CASE while setting the token.

0 Karma

email2vamsi
Explorer

Hi Somesoni2,

CASE is not working for me. |stats count is returning 0 values.

But i found the following description for CASE which has the functionality other than case sensitivity.

This function takes pairs of arguments X and Y. The X arguments are Boolean expressions that will be evaluated from first to last. When the first X expression is encountered that evaluates to TRUE, the corresponding Y argument will be returned. The function defaults to NULL if none are true.
0 Karma

somesoni2
SplunkTrust
SplunkTrust

The case that you're seeing is for eval command, the One I;m talking to is works with search command.
http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Search#Search_with_CASE.28.29

Could you post from where the token $source_tok$ is being populated and what value it holds?

0 Karma

email2vamsi
Explorer

$source_tok$ comes from a drop down. It returns souce="some value".I want to treat "some value" as case sensitive in the dasboard.The dashboard gets filled on the basis of drop down selection. 

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You would need to update your dropdown code to include the CASE function.

<input type="dropdown" token="source_tok">
      <label>Select a source</label>
    ..other settings...
    <prefix>source=CASE(</prefix>
    <suffix>)</suffix>
    ..other settings...
    </input>

OR just remove both prefix and suffix, and update your search to use source=$source_tok$ instead of just $source_tok$.

0 Karma

email2vamsi
Explorer

Thank you. I will try this.

Is there any way to refresh the panel in the dasboard whenever I select an option in drop down? I want the panel should be in page-1 when I make a selection in drop down.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Add the option searchWhenChanged as true in the xml (OR check the "Search When changed" checkbox")

0 Karma

email2vamsi
Explorer

Hi somesoni2,

I do not see any "Search when Changed" option for panel.
This option is already enabled for drop down.

No matter on which page the table on panel is, it should come to first page when i make a different selection on drop down.

0 Karma

email2vamsi
Explorer

$source_tok$ comes from a drop down. It returns souce="some value".

I want to treat "some value" as case insensitive in the dasboard.
The dashboard gets filled on the basis of drop down selection.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...