Archive

Search Blank value

Builder

Hi Experts,

I have changed the blank value in a drop down with a string . So for drop down query is

<input type="dropdown" token="act" searchWhenChanged="false">
        <label>Action</label>
        <default>*</default>
        <choice value="*">All</choice>
        <search>
    <query>index=test |eval act = if(isnull(Action) OR Action="", "Unknown", Action)|dedup act</query>
  </search>
  <fieldForLabel>act</fieldForLabel>
  <fieldForValue>act</fieldForValue>
</input>

Now based on this drop down selection I am displaying a table .

My Problem is

Things are working fine for all other options except when I select Unknown in the drop down . So the table query is
Please help me to resolve this .

<table>
        <title></title>
        <search>
          <query>index=test Action=$act$| stats count by Action,src,dst,proto,Protocol,s_port| sort - count | fields Action,src,s_port,dst,Protocol,count|rename count as "Hits"</query>
          <earliest>$time_display.earliest$</earliest>
          <latest>$time_display.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">true</option>       
        <option name="drilldown">none</option>
        <option name="count">10</option>
      </table>

Thanks
VG

Tags (1)
0 Karma
1 Solution

Legend

Hi vikas_gopal,
you have to make the reverse transformation:

index=test Action=$act$ 
| eval Action = if(act="Unknown","",Action) 
| stats count by Action,src,dst,proto,Protocol,s_port
| sort - count 
| fields Action,src,s_port,dst,Protocol,count
|rename count as "Hits"

Bye.
Giuseppe

View solution in original post

Legend

Hi vikas_gopal,
you have to make the reverse transformation:

index=test Action=$act$ 
| eval Action = if(act="Unknown","",Action) 
| stats count by Action,src,dst,proto,Protocol,s_port
| sort - count 
| fields Action,src,s_port,dst,Protocol,count
|rename count as "Hits"

Bye.
Giuseppe

View solution in original post

Builder

Even I tried this but no luck

index=test |eval act = if(isnull(Action) OR Action="", "Unknown", Action)|search act=$act$| stats count by Action,src,dst,proto,Protocol,s_port| sort - count | fields Action,src,s_port,dst,Protocol,count
0 Karma