Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to search based on optional text fields?

rarangarajanspl
Explorer
‎05-15-2020 11:53 AM

I have couple of text boxes (Tracking no and Track Type) in my bashboard and both are optional. 

<fieldset submitButton="true" autoRun="false">
    <input type="text" token="TrackingNo">
      <label>Tracking Number</label>
      <default></default>
      <change>
        <condition value="">
          <set token="TrackingNo">*</set>
        </condition>
      </change>
    </input>
    <input type="text" token="Tracktype">
      <label>Tracktype</label>
      <default></default>
      <change>
        <condition value="">
          <set token="Tracktype">*</set>
        </condition>
      </change>
    </input>
  </fieldset>

Scenario 1: Once the user clicks submit button with out any input, dashboard should display all the data.
Scenario 2: By giving both values, it should fetch all the records exactly matching with Tracking no and Track Type
Scenario 3: By giving only Track no, it should fetch all the records matching with Tracking no, irrespective of Track type (With above simple XML code, track type is supplied as . )
*Scenario 4:** By giving only Track type, it should fetch all the records matching with Tracking type, irrespective of Track no. (With above simple XML code, Tracking no is supplied as *. )

Please help me to construct the search query

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-17-2020 02:27 AM

Hi @rarangarajansplunk,
if Track_No and Track_Type are present in all events, you can use " * " as default value.

There's a problem if one of the above fields is missed in some events, because the default condition field=* excludes events without this field (you have this problem in 1, 3 and 4 case).

So, in this second case, (if acceptable for you) you could use a more complicated default values (e.g. Track_Type=* OR NOT Track_Type=* ).

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...