- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Filter by token only if token is present
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Filter by token only if token is present
I want to display all of my widgets by their type. Sometimes though, I want to look up a particular widget (via a text field on my dashboard).
... `rex field=Message "Blahblah(?<Type>\w+).*" | rex field=Message "xyz(?<Widget>\w+)" | stats list(Type) as Type, list(Widget) as Widgets by Whatever | where isNotNull(Type) AND if($targetWidget$=*, TRUE, "$targetWidget$" IN(Widgets)) | sort -_time`
What I'm trying to say is "If I've specified a target widget, just grab all the widgets with a type. Otherwise, filter by targetWidget (the value entered in the text box). I have my targetWidget defaulting to *. Different combinations of quotes/no quotes around various things alternately give me errors, "search is waiting for input" for forever, or simply no results.
The below query works just fine, without the IF statement.
... where isNotNull(Type) AND "$targetWidget$" IN(Widgets)) | sort -_time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe don't control it in your query, but control it in the textfield/form of your dashboard and set a default value of "all" on the formfield. If your dashboard text field passes nothing in, and the user loads the dashboard (or presses submit - however you have it set up), then they receive all the widgets. If you type something into the form field, then you get that. This means you already figured out the code you need for your query.
where isNotNull(Type) AND "$targetWidget$" IN(Widgets)) | sort -_time
If this reply helps you, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@stevedefazio while posting code/data on Splunk answers use the code button (10101) or select code/data and use keyboard shortcut Ctrl+K. This will ensure that special characters in your code/data will not get removed.
Also for the community to assist you better please provide sample data for the two scenario you trying to execute with sample query which you want to run. For example it is not quite clear whether the value entered in the text box is field name or field value? What is Widgets? Is it field name or field value?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your comments. I c an see that by not formatting it properly I made it basically impossible to read.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
