Splunk Search

Case Rex on drop-down

JoshuaJohn
Contributor

I have a query that receives input from a drop-down.

Example info coming from the drop-down:
Static: All = *
Dynamic = Application name + Version

All
Nitro 10.9.1.1455
Runner 11.2.1.1444
Calendar 11.1.0.1355

I am physically splitting the name of the application with the version number because my index has Application as a separate from Version and does not take the application with the version (ie: Calendar 11.1.0.1355) as an input. I am combining the two for my drop-down for user simplicity

How queries require the input:
Application = Calendar
Version = 11.1.0.1355

index=search
| eval Applications = "$App_token$"
| rex field=Applications "^(?<Application>^\D+)"
| rex field=Applications "^(?<Install_Version>^\d.*)"
| dedup Mac_Address Application
| search "StoreNo"=* Mac_Address=* "Install Status"=* "App Updated Date"=* "Last Seen"=* "OS Version"="*" 
|chart limit=50 count over "Application" by "Install Status"

How would I build a case where "All" would display all applications rather than *
alt text
alt text

0 Karma

niketn
Legend

@JoshuaJohn, What are the fields in your index=search corresponding Application and Version? You have not applied any filter for either one in your search.

Besides your query, you should also check your existing query for the following:

1) All your search filter should be in your base query

 index=search "StoreNo"=* Mac_Address=* "Install Status"=* "App Updated Date"=* "Last Seen"=* "OS Version"="*"

2) You should have single rex for Application and Install_Version. If Application Name does not have spaces you can try the following:

| rex field=Applications "^(?<Application>[^\s]+)\s(?<Install_Version>.*)"

If there may be spaces in the Application name may be you can try the following:

| rex field=Applications "^(?<Application>[\D|\s]+)(?<Install_Version>[\d|\.]+)"

PS: This could also be handled in the drop down itself. Will your dropdown have multiple entries for same App with different versions?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

tiagofbmm
Influencer

Hi

Can you check if that works for you?

 index=search
 | eval Applications = "$App_token$"
 | rex field=Applications "^(?<Application>^\D+)"
 | rex field=Applications "^(?<Install_Version>^\d.*)"
 | dedup Mac_Address Application
 | search "StoreNo"=* Mac_Address=* "Install Status"=* "App Updated Date"=* "Last Seen"=* "OS Version"="*" 
 |chart limit=50 count over "Application" by "Install Status"
 | eval Application=if(Application=="*","All","*")

It is just a cosmetic operation in the end of the whole calculations

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...