Getting Data In

How to omit a field from search on a text input if the field is blank/null

gulelin10
Engager

Hello all,

Fairly new to Splunk and have a question.

I am trying to build what seemed like a fairly simple tool but I can't get it to work correctly. I need to search on two different text input values and find results where either value is present. The tricky part is that I don't want to search a field if it's blank.

If I do :


"
"
*
....(Field1=$value1$ OR Field2=$value2$)

Splunk returns results for all values in either field that is left null. I need to be able to not search at all on either one of these values if they are left null. Thanks in advance!

0 Karma

elliotproebstel
Champion

This answer seems to provide the closest guidance for what you're seeking:
https://answers.splunk.com/answers/4911/evaluating-form-field-if-not-null.html

But I don't think it's a complete solution if you want both input fields to be optional. In that case, you may need to add some javascript behind the scenes. You can pass tokens to Javascript, evaluate the status of the tokens, and generate an appropriate query based on that analysis. It shouldn't be too complex if you are comfortable with Javascript. Here's some documentation to get you started:
http://dev.splunk.com/view/SP-CAAAE25#Addingcode:usingJavaScriptandSearchProcessingLanguage-Loadingc...

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Try to add ((Field1=* AND Field1=$value1$) OR (Field2=* AND Field2=$value2$))
field=* means "only select events where field has a value. This should exclude events where either Field1 or Field2 are NULL.

gulelin10
Engager

In looking at you answer I realized I didn't phrase the question correctly. Thank you for the help! I just want to clarify what I am after.

The tool will have two text entry fields. I don't want to search at all on a text entry that is left blank. I want the user to be able to enter a value in either input field - if they enter in both it will search for both values. If they enter in only one or the other it will search for that value but ignore the other value in the search - ideally I'd like to only search for the values that get entered.

Does that make more sense?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...