Can you help me with my multiple Input field searc...

rakeshyv0807 · ‎11-19-2018

Hi,

I have a dashboard where the requirement is to have multiple input fields (a drop down and two input search fields fow now). Initially, we introduced only the dropdown, and as the requirement had changed to have two input text fields to search on results, I have added new input fields to the dashboard. The dropdown is for selecting the environment and the input text fields for searching Request ID's of two different types from the results.

Ideally, we want to display all the results according to the selection on dropdown (dev, test, prod), and after displaying results, if I take a field value of SR number from one of column in the results and search it, I want to display on the records associated with the searched Request ID. If I don't have anything on the input text field, I want to display all the results based on dropdown selection.

Right now, I am not able to display any results based on dropdown as I have to enter an input to all the filters. Can someone help how to resolve the issue? Please, refer to the below search.

index=Pid sourcetype=poclog AND (Stripe=$StripeName$ OR DocumentID= $SRLineNumber$ OR TrackingID1= $SRNumber$) | rename _time as Time, DocumentID AS SRLineNumber, TrackingID1 AS SRNumber, TrackingID2 AS Depot, TrackingID3 AS HoldID| convert ctime(Time) | table Time Stripe FromSystem ToSystem TransactionNumber SRNumber SRLineNumber Transactiontype Depot HoldID InstanceID Status ErrorMessage Payload | sort -Time

Stripe is dropdown, DocumentID and TrackingID1 are the input fields

woodcock · ‎11-29-2018

It is pretty clear that some events have Stripe = DEV and other events have TrackingID1 = * but no events have both. In short your search and your dashboard are working perfectly. You will need to do some correlation to merge events or change your SPL to make this work. You are investigating the wrong problem space.

felipesewaybric · ‎11-29-2018

As Kmaron has written, you can use the *, for the second reply, can you post your input xml source?

rakeshyv0807 · ‎12-03-2018

@felipesewaybricker Thanks for your response. Here is my source:

Integration POC Dashboard for Repair

<input type="dropdown" token="StripeName">
  <label>Stripe</label>
  <choice value="DEV">DEV</choice>
  <default>DEV</default>
</input>
<input type="text" token="SRNumber" searchWhenChanged="true">
  <label>SRNumber</label>
  <default>*</default>
</input>
<input type="text" token="SRLineNumber" searchWhenChanged="true">
  <label>SRLineNumber</label>
  <default>*</default>
</input>
<input type="time" token="Time">
  <label>Time</label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
</input>


<panel>
  <title>Integration POC Test</title>
  <table>
    <search>
      <query>index=pid sourcetype=poclog AND (Stripe = $StripeName$ OR DocumentID = $SRLineNumber$ OR TrackingID1= $SRNumber$) | rename _time as Time, DocumentID AS SRLineNumber, TrackingID1 AS SRNumber, TrackingID2 AS Depot, TrackingID3 AS HoldID| convert ctime(Time) | table Time Stripe FromSystem ToSystem TransactionNumber SRNumber SRLineNumber Transactiontype Depot HoldID InstanceID Status ErrorMessage Payload | sort -Time</query>
      <earliest>$Time.earliest$</earliest>
      <latest>$Time.latest$</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">10</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">none</option>
    <option name="percentagesRow">false</option>
    <option name="refresh.display">progressbar</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">false</option>
  </table>
</panel>

I want to display all the results when the dashboard is loaded based on the Stripe selection which is happening right now. But, I also want to display the corresponding results when a user enters a value in either TrackingID1/DocumentID. Currently, we are displaying all the results initially, since I have Stripe=Dev , TrackingID1=* and DocumentID=* selected. Can you please suggest how I can get it done. Thanks in advance.

kmaron · ‎11-19-2018

if you set the default of all of your inputs to be * then you should be able to change your ORs to ANDs and it will fill in the * if nothing else is chosen.

rakeshyv0807 · ‎11-26-2018

@kmaron Thanks for your input. I have tried to follow the way you suggested. But, when I gave the default value as * for both input text fields and changed the OR's to AND's the query is unable to display any results for the search. Also, when I tried to remove one of the input text field it worked. I would like to display both input text fields on the dashboard. Below is my updated search query as you suggested which isn't working:

index=pid sourcetype=poclog AND Stripe = DEV AND DocumentID = * AND TrackingID1 = * | rename _time as Time, DocumentID AS SRLineNumber, TrackingID1 AS SRNumber, TrackingID2 AS Depot, TrackingID3 AS HoldID| convert ctime(Time) | table Time Stripe FromSystem ToSystem TransactionNumber SRNumber SRLineNumber Transactiontype Depot HoldID InstanceID Status ErrorMessage Payload | sort -Time

And, the below query is working when I remove one of the input text field from my search:

index=pingid sourcetype=poclog AND Stripe = DEV AND DocumentID = * | rename _time as Time, DocumentID AS SRLineNumber, TrackingID1 AS SRNumber, TrackingID2 AS Depot, TrackingID3 AS HoldID| convert ctime(Time) | table Time Stripe FromSystem ToSystem TransactionNumber SRNumber SRLineNumber Transactiontype Depot HoldID InstanceID Status ErrorMessage Payload | sort -Time

Can you please let me know why my query isn't working for two input text fields. Thanks in Advance.

Can you help me with my multiple Input field search criteria?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!