Archive
Highlighted

Search parameter changed, need help with query

Contributor

i have a search parameter for ex : search Data="Test". This data is there in the index and it has daily ingest and it has daily _time.

This Data field is a filter , which i select and then it shows me all the data with Data="Test" via drilldown token.
Now this field has changed to "NoTest"

now when i choose from drilldown, i see "NoTest" instead of "Test".
if i choose "NoTest", all previous data is not showing as they all have Data="Test": ( this table has historical data so i need to show both )

i need a way to show both "NoTest" and "Test" without changing much of query ( as other filters are unchanged, only this one has changed )

Tags (1)
0 Karma
Highlighted

Re: Search parameter changed, need help with query

Ultra Champion
0 Karma
Highlighted

Re: Search parameter changed, need help with query

SplunkTrust
SplunkTrust

I assume you're working with dashboards here? Without seeing the source code, it's hard to say what the root cause is. Can you provide the Simple XML and a dummy of the example search that you're using?

These docs may be helpful in your case:

https://docs.splunk.com/Documentation/Splunk/8.0.2/Viz/tokens
https://docs.splunk.com/Documentation/Splunk/8.0.2/Viz/FormEditor

Also, I recommend downloading the Dashboard Examples app from Splunkbase where you can copy example source code for dropdown inputs (and more!):

https://splunkbase.splunk.com/app/1603/

0 Karma
Highlighted

Re: Search parameter changed, need help with query

Esteemed Legend

Show us your XML.

0 Karma
Highlighted

Re: Search parameter changed, need help with query

Contributor

i will not be able to share the query , but i found a way around it, i was able to eval and replace the old value with new value so that it works fine now, its a bit slow , but does the job...

0 Karma