i have a search parameter for ex : search Data="Test". This data is there in the index and it has daily ingest and it has daily _time.
This Data field is a filter , which i select and then it shows me all the data with Data="Test" via drilldown token.
Now this field has changed to "NoTest"
now when i choose from drilldown, i see "NoTest" instead of "Test".
if i choose "NoTest", all previous data is not showing as they all have Data="Test": ( this table has historical data so i need to show both )
i need a way to show both "NoTest" and "Test" without changing much of query ( as other filters are unchanged, only this one has changed )
I assume you're working with dashboards here? Without seeing the source code, it's hard to say what the root cause is. Can you provide the Simple XML and a dummy of the example search that you're using?
These docs may be helpful in your case:
Also, I recommend downloading the Dashboard Examples app from Splunkbase where you can copy example source code for dropdown inputs (and more!):
i will not be able to share the query , but i found a way around it, i was able to eval and replace the old value with new value so that it works fine now, its a bit slow , but does the job...