topic How to set default value of variable in serch query in Splunk Search

How to set default value of variable in serch query

geetanjali — Thu, 26 May 2011 11:03:19 GMT

Hello,

I have a view having bar graph with timechart command. I have two drop downs in my view. Withe selecting different values from drop down, it will change the bar graph.

following is the query :

index="test" sourcetype="testalert" AlertGroup=$alertGroup$ Node=$Node$ | fields LastOccurrence, Severity, Node, Location, AlertGroup, Summary | timechart count(LastOccurrence) by Severity

$alertGroup$ and $Node$ are two drop down variables. While changing drop down values,the value of these variables changes.

Problem is, i want to display chart on page load and on page load the values of these two variables are null and my query is returning null value. I want to set the default value of these variables as "Any". By default all the results should show in graph.

Please help, if any body knows the solution.

Thanks in advance

Geetanjali

Re: How to set default value of variable in serch query

hazekamp — Thu, 26 May 2011 16:28:51 GMT

geetanjali,

Assuming you are using Advanced XML StaticSelect or SearchSelect Lister modules with ConvertToIntention, you can add an "Any" option like so (basically the value for the "Any" options is "*"; If you still want to see events that don't have an AlertGroup field you would need to add a "| fillnull" to your search):

<module name="StaticSelect">
  <param name="settingToCreate">alertGroup_setting</param>
  <param name="label">Alert Group: </param>
  <param name="searchWhenChanged">True</param>
  <param name="staticFieldsToDisplay">
    <list>
      <param name="label">Any</param>
      <param name="value">*</param>
    </list>
    ...
  </param>
  <module name="ConvertToIntention">
    <param name="settingToConvert">alertGroup_setting</param>
    <param name="intention">
      <param name="name">stringreplace</param>
      <param name="arg">
        <param name="alertGroup">
          <param name="value">$target$</param>
        </param>
      </param>
    </param>

Re: How to set default value of variable in serch query

geetanjali — Fri, 27 May 2011 05:17:22 GMT

Hi,
thanks for the suggestions. I have implemented this query. But it is giving zero result.
index="tougou" sourcetype="alert" AlertGroup=$alertGroup$ Node=$Node$ | fields LastOccurrence, Severity, Node, Location, AlertGroup, Summary | timechart count(LastOccurrence) by Severity | fillnull value="Any"

Correct me where i m wrong.

thanks