I believe I have what is a very simple question, but with all my searching I have been unable to find an answer.
I've made a simple dashboard to show successful and failed logins to our application. I have created a dropdown/radio button panel with some static options shown below. I can show all results with an asterisk and only successful logins with 0, but using "!=0" to get everything that doesn't equal 0 doesn't produce any results.
I have tried some basic combinations of !=0, !="0", !=="0" here in the Static Options window.
What am I missing? The tutorials I've found don't specifically cover this type of syntax. Thank you in advance!
Hi @HugheJass ,
try adding the field to use in the condition, e.g.
All my_field=*
Successful my_field=0
Failed my_field!=0
Ciao.
Giuseppe
Thank you for the tip to add the field into my condition, but this produces no results. Leaving in * and 0 show those results, but even putting "my_field=0" shows none.
Hi @HugheJass ,
what's the field you are using for the conditions *, 0 !=0? in the shared code there isn't any field.
my_field is a common name that means the field that you're using.
Ciao.
Giuseppe
I do understand that "my_field" was just a placeholder since you did not know the name of my tokens. My actual field is status.errorCode and creating a token "errorCode" from that does pull my results into the dashboard. The problem comes when I tried to filter my token "errorCode" to show anything that isn't a value of 0.
I posted my code in another reply here.
Hi @HugheJass ,
use this field in the conditions
status.errorCode=*
status.errorCode=0
status.errorCode!=0
or
'status.errorCode'=*
'status.errorCode'=0
'status.errorCode'!=0
Ciao.
Giuseppe
1. If possible, avoid using screenshots. Paste your code into preformatted paragraph or a code block - it's much easier to read/respond this way.
2. Unless I'm blind you don't show how you're using this token.
Thank you for your formatting advice. This is my first detailed post as I dive into Splunk dashboards, so I will keep that in mind moving forward.
The token works fine in general with a wildcard or 0, so I didn't add more detail on how it's used because I didn't think that part needs troubleshooting. The data is there in my results. I figured there is a simple syntax issue that's stopping me from filtering it properly. I'm pulling login events from Azure AD. The field I'm working with here is status.errorCode. I'm using two tokens - UserID and errorCode.
index="mscloud" userPrincipalName="$UserID$" status.errorCode="$errorCode$" | spath userPrincipalName | search userPrincipalName="*@company.com" | spath status.errorCode | search status.errorCode="*"| sort _time + desc | table _time createdDateTime userPrincipalName appDisplayName status.errorCode status.failureReason status.additionalDetails clientAppUsed conditionalAccessStatus
OK. So you can see that if you substitute the token with actual value, you're gonna get something that makes no sense
index="mscloud" userPrincipalName="some_username" status.errorCode=!=0
Since token replacement is just a simple text substitution, you might need something like that:
index="mscloud" userPrincipalName="$UserID$" status.errorCode$errorCode$
(and define your choices as "=*", "=0", "!=0" respectively)
or do
index="mscloud" userPrincipalName="$UserID$" $errorCode$
and define your choices as whole conditions ("status.errorCode=0" and so on)