Re: Static Options not equal to 0

HugheJass

I believe I have what is a very simple question, but with all my searching I have been unable to find an answer.

I've made a simple dashboard to show successful and failed logins to our application. I have created a dropdown/radio button panel with some static options shown below. I can show all results with an asterisk and only successful logins with 0, but using "!=0" to get everything that doesn't equal 0 doesn't produce any results.

I have tried some basic combinations of !=0, !="0", !=="0" here in the Static Options window.

What am I missing? The tutorials I've found don't specifically cover this type of syntax. Thank you in advance!

gcusello

Hi @HugheJass ,

try adding the field to use in the condition, e.g.

All              my_field=*
Successful       my_field=0
Failed           my_field!=0

Ciao.

Giuseppe

HugheJass

Thank you for the tip to add the field into my condition, but this produces no results. Leaving in * and 0 show those results, but even putting "my_field=0" shows none.

gcusello

Hi @HugheJass ,

what's the field you are using for the conditions *, 0 !=0? in the shared code there isn't any field.

my_field is a common name that means the field that you're using.

Ciao.

Giuseppe

HugheJass

I do understand that "my_field" was just a placeholder since you did not know the name of my tokens. My actual field is status.errorCode and creating a token "errorCode" from that does pull my results into the dashboard. The problem comes when I tried to filter my token "errorCode" to show anything that isn't a value of 0.

I posted my code in another reply here.

gcusello

Hi @HugheJass ,

use this field in the conditions

status.errorCode=*
status.errorCode=0
status.errorCode!=0

or

'status.errorCode'=*
'status.errorCode'=0
'status.errorCode'!=0

Ciao.

Giuseppe

PickleRick

1. If possible, avoid using screenshots. Paste your code into preformatted paragraph or a code block - it's much easier to read/respond this way.

2. Unless I'm blind you don't show how you're using this token.

HugheJass

Thank you for your formatting advice. This is my first detailed post as I dive into Splunk dashboards, so I will keep that in mind moving forward.

The token works fine in general with a wildcard or 0, so I didn't add more detail on how it's used because I didn't think that part needs troubleshooting. The data is there in my results. I figured there is a simple syntax issue that's stopping me from filtering it properly. I'm pulling login events from Azure AD. The field I'm working with here is status.errorCode. I'm using two tokens - UserID and errorCode.

index="mscloud" userPrincipalName="$UserID$" status.errorCode="$errorCode$"  | spath userPrincipalName | search userPrincipalName="*@company.com"  | spath status.errorCode | search status.errorCode="*"| sort _time + desc | table  _time createdDateTime userPrincipalName appDisplayName status.errorCode status.failureReason status.additionalDetails clientAppUsed conditionalAccessStatus

PickleRick

OK. So you can see that if you substitute the token with actual value, you're gonna get something that makes no sense

index="mscloud" userPrincipalName="some_username" status.errorCode=!=0

Since token replacement is just a simple text substitution, you might need something like that:

index="mscloud" userPrincipalName="$UserID$" status.errorCode$errorCode$

(and define your choices as "=*", "=0", "!=0" respectively)

or do

index="mscloud" userPrincipalName="$UserID$" $errorCode$

and define your choices as whole conditions ("status.errorCode=0" and so on)

Static Options not equal to 0

Classic dashboard

Get ready to show some Splunk Certification swagger at .conf24!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...