Dashboards & Visualizations

Dashboard search filter doesn't work for one of 1 of 4 panels

fraserj
New Member

Hi,

Our text search bar filter works for all panels but one. However, it does load new data initially when booting the dashboard. According to the user which uses this dashboard, it stopped working after one of our Splunk admins added the _time field in the table (I don't feel this is the case). Below is the search query for the panel NOT working with our search bar filter:

sourcetype=cerberus-ftp host=SERVER_NAME (src_ip="" OR user="" OR (file="" AND file_action="")) *
| transaction connection_id
| mvexpand file
| mvexpand file_action
| rex field=file_action mode=sed "s/stored/Uploaded/g"
| rex field=file_action mode=sed "s/sent/Downloaded/g"
| rex field=file_action mode=sed "s/deleted/Deleted/g"
| search file_action=Uploaded
| table _time, file, file_action
| dedup file

Below are the three dashboard panel search queries which ARE working with our search bar filter:

host=SERVER_NAME sourcetype="SOURCE" EventCode!=500 *PRD
| table _time, SourceName, EventCode, file
| eval SourceName = mvindex(SourceName,0)
| lookup workday_sftp_sql_eventcodes EventCode OUTPUT Action
| fields _time, SourceName, file, Action
| sort -_time
| table file
| dedup file

sourcetype=cerberus-ftp host=SERVER_NAME(src_ip="" OR user="" OR (file="" AND file_action="")) *PRD
| transaction connection_id
| mvexpand file
| mvexpand file_action
| rex field=file_action mode=sed "s/stored/Uploaded/g"
| rex field=file_action mode=sed "s/sent/Downloaded/g"
| rex field=file_action mode=sed "s/deleted/Deleted/g"
| table _time, connection_id, user, src_ip, file, file_action

host=SERVER_NAME sourcetype="SOURCE" EventCode!=500 *PRD
| table _time, SourceName, EventCode, file
| eval SourceName = mvindex(SourceName,0)
| lookup workday_sftp_sql_eventcodes EventCode OUTPUT Action
| fields _time, SourceName, file, Action
| sort -_time

Any help with this is greatly appreciated!

Fraser

0 Karma

to4kawa
Ultra Champion

| search file_action=Uploaded
No1 query selects file_action. Through no result, I think.

This is my recommend query:

sourcetype=cerberus-ftp host=SERVER (src_ip=$tokenA$ OR user=$tokenB$ OR (file=$tokenC$ AND file_action=$tokenD$)) 
| eval file_action=case(match(file_action,"stored"),"Uploaded",match(file_action,"sent"),"Downloaded",match(file_action,"deleted"),"Deleted")
| eval file_action = file.":".file_action
| stats first(_time) as _time list(file_action) as file_action by connection_id
| stats values(_time) as _time by file_action
| eval file=mvindex(split(file_action,":"),0)
| eval file_action=mvindex((split(file_action,":"),1)
| table _time, file, file_action
0 Karma

to4kawa
Ultra Champion

#1 & #3 is same?

0 Karma

fraserj
New Member

Apologies. I don't know how I ended up doing that. Just for clarification, I just checked the queries for number #1 and #3 dashboard. They are very similar, yet the third one works and the first one does not... see below:

1 Query:

sourcetype=cerberus-ftp host=SERVER (src_ip="" OR user="" OR (file="" AND file_action="")) *
| transaction connection_id
| mvexpand file
| mvexpand file_action
| rex field=file_action mode=sed "s/stored/Uploaded/g"
| rex field=file_action mode=sed "s/sent/Downloaded/g"
| rex field=file_action mode=sed "s/deleted/Deleted/g"
| search file_action=Uploaded
| table _time, file, file_action
| dedup file

3 Query:

sourcetype=cerberus-ftp host=SERVER (src_ip="" OR user="" OR (file="" AND file_action="")) *PRD
| transaction connection_id
| mvexpand file
| mvexpand file_action
| rex field=file_action mode=sed "s/stored/Uploaded/g"
| rex field=file_action mode=sed "s/sent/Downloaded/g"
| rex field=file_action mode=sed "s/deleted/Deleted/g"
| table _time, connection_id, user, src_ip, file, file_action

Note: Servers are identical on both queries.

What's confusing is the only difference there is, is in the search terms with #1 wildcarding all, and #3 only wildcarding PRD. Plus the piped search line in #1 which shouldn't affect this right? If you think it does, I could remove this search line and add it into the search terms instead of wildcarding all file_actions initially (I didn't write this query and the person who did has left, so I can't refer back to him on what has changed).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...