Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboard studio: How to create search for value that may be null - efficiently?

Andy-AVA
Engager
‎09-15-2023 01:15 PM

Hello!

I'm using a text input box to input a username. If I were to simply put that username into my base search, it works great and is very quick. I have other search input parameters, so my problem is that if I DON'T specify a username, I want it to include all values. This includes null values. I started by using an asterisk as the default input value, but that doesn't include null values. The only way I've been able to make this partially work is by removing the username from the base search, then using an eval command to give the null entries a value, and then search the base results for either "*" to include everything, or the username I typed in. This is horribly inefficient because I have to search my entire database for every entry before I can filter it. I also think this doesn't work properly because it has a limit on the number of results in the base search. 

I've done a lot of searching for doing an eval command BEFORE the base search, but that doesn't seem to be possible. This can't be a unique scenario. How do I search for both "null" and "NOT null" values in the base search without removing my username input box?

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-15-2023 11:59 PM

Set the default of your text input to "*" and extend your initial search like this

index=<your index and other filters> 
    [| makeresults
    | fields - _time
    | eval username="$your_text_search$"
    | where username!="*"
    | return username]

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-15-2023 11:59 PM

Set the default of your text input to "*" and extend your initial search like this

index=<your index and other filters> 
    [| makeresults
    | fields - _time
    | eval username="$your_text_search$"
    | where username!="*"
    | return username]
Reply
Solved! Jump to solution

Andy-AVA
Engager
‎09-18-2023 08:48 AM

Genius! Thank you! I spent WAY too much time trying to find out how to do that. I skipped the "fields - _time" section. I'm not sure what that's for? It seems to work well without it.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-18-2023 08:54 AM

Yes, you don't need that - it is just a habit I have when using makeresults as it is the only field that is automatically added by makeresults.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...