Dashboards & Visualizations

Evaluating form field if not null?

Tisiphone_1
Explorer

Hi all,

I am trying to include the contents of a form field into an AND search clause only if the form field is not null.

So, say there are three input fields: field1, field2, and field3.

If the user enters stuff into field1 and field3, I want to search:

index=stuff search1=field1 AND search3=field3

But my search looks like this:

index=stuff search1=field1 AND search2=field2 AND search3=field3

So, the example search will return no results because search2 does not equal ""

Is there a way I use eval isnotnull() to remove a field from my search string if the user doesn't enter anything?

Tags (1)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

There are at least two ways around this:

The best is to use prefix and suffix values in your form field. In simple XML, this would look like:

<input type="text" token="field3">
  <prefix>search3="</prefix>
  <suffix>"</suffix>
</input>

and your searchTemplate could look like:

search1=$field1$ search2=$field2 $field3$ 

This method will only include $field3$ if the user typed a value at all. The other method would be to set a default:

<input type="text" token="field3">
    <default>*</default>
</input>

and searchTemplate:

search1=$field1$ search2=$field2$ search3=$field$

This actually behaves slightly differently as it requires that search3 must have some value, while the previous will return results where search3 is not set at all.

View solution in original post

tugnet
Explorer

That was the answer I was looking for:

in Splunk 6, for the first method to work, you'll need to include a blank
<default></default>

Had some strange behaviour in my dashboards, because I used to make an "optional" search for a keyword appended to the base search (| search $something$) - and by default, splunk <6 omitted an empty input. Now the mentioned statement brings back this behaviour - thanks for the hint 🙂

ehudb
Contributor

That is pure magic! looked for this for so much time! thanks.
Actually from all other discussions in Splunk answers, it seems like there is no way to set empty token in search.
Apparently it works.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

There are at least two ways around this:

The best is to use prefix and suffix values in your form field. In simple XML, this would look like:

<input type="text" token="field3">
  <prefix>search3="</prefix>
  <suffix>"</suffix>
</input>

and your searchTemplate could look like:

search1=$field1$ search2=$field2 $field3$ 

This method will only include $field3$ if the user typed a value at all. The other method would be to set a default:

<input type="text" token="field3">
    <default>*</default>
</input>

and searchTemplate:

search1=$field1$ search2=$field2$ search3=$field$

This actually behaves slightly differently as it requires that search3 must have some value, while the previous will return results where search3 is not set at all.

smashedpumpkins
Explorer

Years later this still helped me resolve an issue where I needed an if statement against a search rather than storing a result in an eval. The only difference is in Splunk 6, for the first method to work, you'll need to include a blank .

To elaborate further, I have a form that populates a dropdown menu with a lookup table. The lookup table stores a search as the value for each dropdown entry. The dashboard serves the purpose of updating, deleting and adding new entries. Using prefix & suffix let me ignore form fields thus deleting lookup table entries instead of adding.

0 Karma

Tisiphone_1
Explorer

I think that the former is working. It became more complicated because I made the operator (and/or) a variable too, but I did:


$operator$ search3="
"

and it worked!

0 Karma

gljiva
Path Finder

Maybe something like this eval newfield = if(field == "", "*", field) | search1=newfield ?

0 Karma

Tisiphone_1
Explorer

Hmm,

So I am now doing:

index=stuff | eval newfield = if(field1 == "", "*", field1) | index=stuff (search1=newfield OR search2=field2)

But this throws a failhandler error.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...