Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search for specific fields but also list results that do not contain those fields in a dashboard.

snix
Communicator
‎03-10-2018 05:46 AM

I am building out a dashboard that can do lookups on Windows DHCP logs. There are a few fields I would like to filter against but not all fields are always in all results. For instance, I have 5 inputs I allow the user to filter the results with (Time, IP, MAC, Hostname, Description). I then give those inputs field names and input them into the panel's query:

index=dhcp dest_ip=$ip_field$ dest_mac=$mac_field$ dest_nt_host=$host_field$ description=$discription_field$

But some results may not contain a MAC address field or may not have a hostname field.

As long a the relevant input has a default wildcard in it I still would want to get back results that do not contain that field. If the user enters something specific into the input, only then I would want it to return results that only had that field in it.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

snix
Communicator
‎03-11-2018 05:54 AM

Thank you for the detailed response Giuseppe. Sorry I didn't do a great job in describing the issue I am having. I am not using drop-down input for this I am using text inputs.

The main issue I was running into was some of the results from my query would sometimes not contain data in all the fields that I have dashboard inputs for. That is expected but since each input has a default of "*" it automatically then sets the query to force all results to contain something in each filed or the result would be filtered out.

What I did to get around this was to add:

fillnull value=NULL

I put this in before I searched for any fields that may come back empty: 

index=dhcp dest_ip=$ip_field$ | 
fillnull value=NULL |
search dest_mac=$mac_field$ dest_nt_host=$host_field$ description=$description_field$ |

That way all fields did technically have something in them and were not left out if there was no original data in them.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

snix
Communicator
‎03-11-2018 05:54 AM

Thank you for the detailed response Giuseppe. Sorry I didn't do a great job in describing the issue I am having. I am not using drop-down input for this I am using text inputs.

The main issue I was running into was some of the results from my query would sometimes not contain data in all the fields that I have dashboard inputs for. That is expected but since each input has a default of "*" it automatically then sets the query to force all results to contain something in each filed or the result would be filtered out.

What I did to get around this was to add:

fillnull value=NULL

I put this in before I searched for any fields that may come back empty: 

index=dhcp dest_ip=$ip_field$ | 
fillnull value=NULL |
search dest_mac=$mac_field$ dest_nt_host=$host_field$ description=$description_field$ |

That way all fields did technically have something in them and were not left out if there was no original data in them.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2018 06:29 AM

Hi snix,
it isn't so elegant but you could change the default value in your dropdown list, you could insert:

<input type="text" token="ip_field">
  <label>Dest IP Address</label>
  <default>*" OR NOT dest_ip="*</default>
  <prefix>(dest_ip="</prefix>
  <suffix>")</suffix>
</input>
<input type="text" token="mac_field">
  <label>MAC Address</label>
  <default>*" OR NOT dest_mac="*</default>
  <prefix>(dest_mac="</prefix>
  <suffix>")</suffix>
</input>    <input type="text" token="mac_field">
  <label>Dest host</label>
  <default>*" OR NOT dest_nt_host="*</default>
  <prefix>(dest_nt_host="</prefix>
  <suffix>")</suffix>
</input>    <input type="text" token="description_field">
  <label>description</label>
  <default>*" OR NOT description="*</default>
  <prefix>(description="</prefix>
  <suffix>")</suffix>
</input>

and in you search put 

index=dhcp $ip_field$ $mac_field$ $host_field$ $discription_field$

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...