I've created a custom dashboard with a search form. I've got several input fields for users to search with, however I cannot set the default value to * because not every field appears in every row.
If I leave the fields blank, Splunk will leave out the token from my search string...which is what I want. However, the first time I try to run a search, my results panel sits at "Search is waiting for input..." until I fill in all of my input fields. All subsequent searches don't require a value in every field.
If I use * in each field, events that are missing a field are omitted from the results. The only other way I can think to get around this is to use fillnull on my result set. However, that seems like an intense search to me, as Splunk would need to grab all my results, fill in the null values, and then do a second search.
I think fillnull is the best approach. You could use and | eval ifnull(field) bla bla bla, but it would be even more intensive.
The approach I use with heavy dashboards is to create a couple of reports, outputting all to a table and scheduling it to run every X minutes/hours. I than create my dashboard using searches starting with:
| loadjob "admin:search:my saved report" | search fieldA="1" AND fieldB="*" | stats count by fieldC
You can do all lookups, fillnulls and any data cleansing at the schedule report phase and the dashboard will run fast, very fast!
The pitfall is, that the "loadjob" command will only work if the report already ran and has results. The report needs to run at least once via scheduler. You can keep eye on your "Activity->Jobs" and you'll see your saved report running and completed.
Cheers