![]() [| search $TheOverallSearch$ (NOT $TheFieldName$=*) Then use a search like this for your panel: index=network sourcetype=cisco:ios host="$host$" $mnemonic$ $protocol$ $reason$ $message_text$ $severity$ $src_interface$ | table _time mnemonic host hostname protocol reason message_text severity src_interfaceĪnd, just in case you wanted to allow the dropdown to give the option of looking for NULL values in a particular field. "\"" | append | streamstats count AS serial | eval serial=if(name="*", 0, serial) | sort 0 serial | fields name value Like this: index = network sourcetype=cisco:ios host="$host$" | fillnull value="missing" mnemonic protocol reason message_text severity src_interface | search mnemonic="$mnemonic$" protocol="$protocol$" reason="$reason$" message_text="$message_text$" severity="$severity$" src_interface="$src_interface$" | table _time mnemonic host hostname protocol reason message_text severity src_interfaceīut if you have more than 1 indexer this approach will drastically slow your performance, so if you are not using multiselect, I would instead use this trick to create a base search that will map/reduce: modify the inputs in your fieldset with populating searches like this: index=network sourcetype=cisco:ios | stats values(mnemonic) AS name | mvexpand name | eval value = "mnemonic=\"". So it would look sorta kinda like this… index = network sourcetype=cisco:ios host=“$host$” | eval mnemonic=if(is null(mnemonic),”missing”,mnemonic) … repeat for each field, then pipe into … | search mnemonic="$mnemonic$” … do this for each field finally pipe into a table … | table _time,mnemonic,host,hostname,protocol,reason,message_text,severity,src_interface Then, pipe that into a sub search where you apply your variables and since the missing fields now have a value in them, a =* value will work. If the value is null, then fill in with “missing” or whatever. Then run an eval on each field we need in our table. I wanted to pick everyone’s brains and see how they would approach this and if my way is really that efficient.įilter on the host first because we know we are always going to have a host value. You essentially do an eval, and if null, fill in the field with a static text. I did some research and found the following post about a similar issue, but it only addresses when you are doing a static table and have missing fields. Which yield no results since host foo, doesn’t have a couple of the specified fields. index = network sourcetype=cisco:ios mnemonic="*" host=“foo" protocol = "*" reason="*" message_text="*" severity="*" src_interface="*" | table _time,mnemonic,host,hostname,protocol,reason,message_text,severity,src_interface So for example, if I filter on the host “foo”, my search creating this table would ultimately look like this…. ![]() ![]() So back to my issue, if the field doesn’t exist, Splunk doesn’t return results since it is an implicit AND. My default values for anything referencing a variable is “*”. The way I have the search constructed is as follows… index = network sourcetype=cisco:ios mnemonic="$mnemonic$" host="$host$" protocol = "$protocol$" reason="$reason$" message_text="$message_text$" severity="$severity$" src_interface="$src_interface$" | table _time,mnemonic,host,hostname,protocol,reason,message_text,severity,src_interface If I filter on a host that doesn’t have a particular field I'm referencing in the table I am populating, no results return at all. All of it being the sourcetype of cisco:ios.īuilding of the table is relatively straight forward along with creating the drop -own menus that are dynamically generated from Splunk searches. I am building a dashboard for a customer who just wants to show their cisco switch and routers in a single table. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |