Archive

Search Blank value

Builder

Hi Experts,

I have changed the blank value in a drop down with a string . So for drop down query is

<input type="dropdown" token="act" searchWhenChanged="false">
        <label>Action</label>
        <default>*</default>
        <choice value="*">All</choice>
        <search>
    <query>index=test |eval act = if(isnull(Action) OR Action="", "Unknown", Action)|dedup act</query>
  </search>
  <fieldForLabel>act</fieldForLabel>
  <fieldForValue>act</fieldForValue>
</input>

Now based on this drop down selection I am displaying a table .

My Problem is

Things are working fine for all other options except when I select Unknown in the drop down . So the table query is
Please help me to resolve this .

<table>
        <title></title>
        <search>
          <query>index=test Action=$act$| stats count by Action,src,dst,proto,Protocol,s_port| sort - count | fields Action,src,s_port,dst,Protocol,count|rename count as "Hits"</query>
          <earliest>$time_display.earliest$</earliest>
          <latest>$time_display.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>       
        <option name="drilldown">none</option>
        <option name="count">10</option>
      </table>

Thanks
VG

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi vikas_gopal,
you have to make the reverse transformation:

index=test Action=$act$ 
| eval Action = if(act="Unknown","",Action) 
| stats count by Action,src,dst,proto,Protocol,s_port
| sort - count 
| fields Action,src,s_port,dst,Protocol,count
|rename count as "Hits"

Bye.
Giuseppe

View solution in original post

SplunkTrust
SplunkTrust

Hi vikas_gopal,
you have to make the reverse transformation:

index=test Action=$act$ 
| eval Action = if(act="Unknown","",Action) 
| stats count by Action,src,dst,proto,Protocol,s_port
| sort - count 
| fields Action,src,s_port,dst,Protocol,count
|rename count as "Hits"

Bye.
Giuseppe

View solution in original post

Builder

Even I tried this but no luck

index=test |eval act = if(isnull(Action) OR Action="", "Unknown", Action)|search act=$act$| stats count by Action,src,dst,proto,Protocol,s_port| sort - count | fields Action,src,s_port,dst,Protocol,count
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!