Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I make one field mandatory?

alex_kh
Explorer
‎10-04-2018 05:01 AM

Hello everybody

I have a dashboard with 4 text inputs (Example: color, shape size, weight)

Splunk takes all these values and performs a search over 9 different indexes.

The problem is that some indexes don't contain all the fields.
for example

Index A has ALL fields
Index B has fields: size, shape and taste
Index C has fields:color, size, sound

that's why when i enter red asterix asterix asterix

i want to have all the events with color=red even if i get something like
red null big 80 indexY
red square small null indexX

by the next search i would define the shape=square as mandatory field
red square small null indexX
null square null null 80 indexZ

Is it somehow possible? maybe with a checkbox?

Tags (1)
0 Karma
Reply

493669
Super Champion
‎10-04-2018 05:11 AM

make field value as null whose value is not present like below-

|eval size=if(isnull(size),"NULL",size), shape=if(isnull(shape),"NULL",shape)
0 Karma
Reply

alex_kh
Explorer
‎10-04-2018 05:42 AM

I suppose you got me wrong.

I have 4 inputs
color=/*
size=/*
shape=/*
weight=/*

If user enters

color= red
size=/*
shape=/*
weight=/*

i want to have results like

red smth smth smth
red smth smth smth
red null null smth

But the color column is ALWAYS filled with red

next search
User enters

color= /*
size=Big
shape=/*
weight=/*

I get a table with
smth big smth smth
smth big smth Null
null big smth smth

0 Karma
Reply

493669
Super Champion
‎10-04-2018 07:07 AM

@alex_kh ,
Suppose when you search with Colour=Red and other field as *, then which events you are receiving and what events you are expecting to come as output?

0 Karma
Reply

alex_kh
Explorer
‎10-05-2018 02:40 AM

If i run my query with AND
color=$token1$ shape=$token2$ I either get no results or only results from the index which contains all fields

when i do the same stuff with OR
color=$token1$ OR shape=$token2$

I get smth like
red round
red square
yellow round
green triangle

0 Karma
Reply

493669
Super Champion
‎10-05-2018 02:47 AM

writing AND makes it compulsory to have both fields in events and making it OR makes either one of the field is present then also you will get results.
So what is your expected output?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...