https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-filtering-search-using-a-select-drop-down-value/m-p/176303#M50636 <P>Hi,</P> <P>No idea why it is slower when putting field1=* in your search. It is supposedly same, based on my experience.</P> <P>Anyways you can achieve your objective by trying the below guide:</P> <P>On your dropdown box:<BR /> 1. On "token Prefix" under "token options" input this: field1="<BR /> 2. On "token suffix" under "token options" input this: "<BR /> 3. Leave empty the value of "ALL" under static options.<BR /> 4. Then click save.</P> <P>On the search inside your panel:<BR /> index=… source=… $field1$ | chart ...</P> <P>Cheers...</P> Fri, 09 Jan 2015 03:46:40 GMT jhlopez 2015-01-09T03:46:40Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-filtering-search-using-a-select-drop-down-value/m-p/176302#M50635 <P>Dear All,</P> <P>I have a small performance problem and I'd like to know if someone can help me. I have a basic dashboard with a dropdown populated from a query (everything works), to which I added a static option "ALL" with a value of *.</P> <P>Let's say my field and token are both named "field1", when I select it, updates a graph in the same dashboard. The query I use for this graph is the following :</P> <PRE><CODE>index=… source=… field1=$field1$ | chart ... </CODE></PRE> <P>This works, but is slow when I use the "ALL" static option, as it translates to :</P> <PRE><CODE>index=… source=… field1=* | chart ... </CODE></PRE> <P>I did try the same search without the field1=* (which gives the same results) and it is very fast, so that's what I'm trying to achieve, when "ALL" is selected :</P> <PRE><CODE>index=… source=… | chart ... </CODE></PRE> <P>I tried a couple of ways but cannot find the right solution. I'm probably looking at something like this :</P> <PRE><CODE>index=… source=… (X OR field1=$field1$) | chart … </CODE></PRE> <P>Where X would be some kind of condition that would render the expression always true but can't find the right syntax.</P> <P>I also tried:<BR /> - setting the value to null, and having index=… source=… (isnull($field1$) OR field1="$field1$") | chart ...<BR /> - setting the value to true, and having index=… source=… ($field1$ OR field1="$field1$") | chart ...</P> <P>Or maybe something else entirely?</P> <P>Regards,<BR /> Laurent</P> Thu, 08 Jan 2015 20:49:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-filtering-search-using-a-select-drop-down-value/m-p/176302#M50635 lduchesne 2015-01-08T20:49:12Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-filtering-search-using-a-select-drop-down-value/m-p/176303#M50636 <P>Hi,</P> <P>No idea why it is slower when putting field1=* in your search. It is supposedly same, based on my experience.</P> <P>Anyways you can achieve your objective by trying the below guide:</P> <P>On your dropdown box:<BR /> 1. On "token Prefix" under "token options" input this: field1="<BR /> 2. On "token suffix" under "token options" input this: "<BR /> 3. Leave empty the value of "ALL" under static options.<BR /> 4. Then click save.</P> <P>On the search inside your panel:<BR /> index=… source=… $field1$ | chart ...</P> <P>Cheers...</P> Fri, 09 Jan 2015 03:46:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-filtering-search-using-a-select-drop-down-value/m-p/176303#M50636 jhlopez 2015-01-09T03:46:40Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-filtering-search-using-a-select-drop-down-value/m-p/176304#M50637 <P>It is working perfect !!</P> Mon, 26 Sep 2016 19:13:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-filtering-search-using-a-select-drop-down-value/m-p/176304#M50637 lakhanlal 2016-09-26T19:13:19Z