Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Case Rex on drop-down

JoshuaJohn
Contributor
‎03-12-2018 09:57 AM

I have a query that receives input from a drop-down.

Example info coming from the drop-down:
Static: All = *
Dynamic = Application name + Version

All
Nitro 10.9.1.1455
Runner 11.2.1.1444
Calendar 11.1.0.1355

I am physically splitting the name of the application with the version number because my index has Application as a separate from Version and does not take the application with the version (ie: Calendar 11.1.0.1355) as an input. I am combining the two for my drop-down for user simplicity

How queries require the input:
Application = Calendar
Version = 11.1.0.1355

index=search
| eval Applications = "$App_token$"
| rex field=Applications "^(?<Application>^\D+)"
| rex field=Applications "^(?<Install_Version>^\d.*)"
| dedup Mac_Address Application
| search "StoreNo"=* Mac_Address=* "Install Status"=* "App Updated Date"=* "Last Seen"=* "OS Version"="*" 
|chart limit=50 count over "Application" by "Install Status"

How would I build a case where "All" would display all applications rather than *
alt text
alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

niketn
Legend
‎03-12-2018 10:53 AM

@JoshuaJohn, What are the fields in your index=search corresponding Application and Version? You have not applied any filter for either one in your search.

Besides your query, you should also check your existing query for the following:

1) All your search filter should be in your base query

 index=search "StoreNo"=* Mac_Address=* "Install Status"=* "App Updated Date"=* "Last Seen"=* "OS Version"="*"

2) You should have single rex for Application and Install_Version. If Application Name does not have spaces you can try the following:

| rex field=Applications "^(?<Application>[^\s]+)\s(?<Install_Version>.*)"

If there may be spaces in the Application name may be you can try the following:

| rex field=Applications "^(?<Application>[\D|\s]+)(?<Install_Version>[\d|\.]+)"

PS: This could also be handled in the drop down itself. Will your dropdown have multiple entries for same App with different versions?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

tiagofbmm
Influencer
‎03-12-2018 10:53 AM

Hi

Can you check if that works for you?

 index=search
 | eval Applications = "$App_token$"
 | rex field=Applications "^(?<Application>^\D+)"
 | rex field=Applications "^(?<Install_Version>^\d.*)"
 | dedup Mac_Address Application
 | search "StoreNo"=* Mac_Address=* "Install Status"=* "App Updated Date"=* "Last Seen"=* "OS Version"="*" 
 |chart limit=50 count over "Application" by "Install Status"
 | eval Application=if(Application=="*","All","*")

It is just a cosmetic operation in the end of the whole calculations

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...