I am trying to build a dashboard with multiple Text inputs that are optional. Say I have 4 Text input boxes: UserID, PID, SPID, and IP, with Default/Load values being "*". The initial search will return all results. But say I want to just search a UserID and want to bring back all data when UserID = "This_is_a_user". If I'm searching only on UserID, I don't want the other fields being searched on. How can I do this?
(index=AUTH OR index=EXTERNAL_APP) UserID=$userid$ PID=$pid$ SPID=$spid$ IP=$ip$
| table AppID _time UsreID Session IP SystemID PID SPID Page Function FName MI LName Address Email
| sort _time
If userid, pid, spid and ip
are the four tokens, one for each of the text box then by setting text inputs
's Default
value as *
it should work the way you want. Since by *
you imply that Splunk should search all the values for the field to which this text input token (in case you left it blank) got set to.
Additionally, update the token prefix
and token suffix
to " (double quotes)
so that you get the desired results as (double quotes)tokenValue(double quotes)
if token is not set and/or a default of *
is chosen then it results in the token value to become "*"
which might be more friendly 🙂
Hence by just setting one of the four tokens and leaving other three blank the three on which you don't want to search will become "*"
which is equal to do not search anything specific on them which gives u the desired result of search all values of the three fields which I chose as blank and only filter on one of them which is not blank.
Then below query should work fine the way you require it.
(index=AUTH OR index=EXTERNAL_APP) UserID=$userid$ PID=$pid$ SPID=$spid$ IP=$ip$
| table AppID _time UsreID Session IP SystemID PID SPID Page Function FName MI LName Address Email
| sort _time
That would work, but I have some events that contain only three of the four fields (UserID PID IP) - some events do not have SPID and/or IP. So if I input data into the UserID and PID text boxes, leaving SPID and IP as "*"
( UserID=Larry PID=1 SPID=* IP=*
), that does not work because the event contains fields UserID PID and does not have SPID and IP. Having "*" for SPID and IP implies that the event contains the two fields.
By default the search filters have a logic AND between them, if you do not specify the same explicitly. All you need to do is add OR between all the filters you want to use.
(index=AUTH OR index=EXTERNAL_APP) AND (UserID=$userid$ OR PID=$pid$ OR SPID=$spid$ OR IP=$ip$)
| table _time AppID UsreID Session IP SystemID PID SPID Page Function FName MI LName Address Email
Also in your table change _time to be the first column and result will be automatically sorted based on first field. This should save you one additional final sort query,
Since you have variety of events and conditions, you should use separate dropdown/checkbox inputs between each field dropdown to explicitly select what you need. By default you can have all AND selected.