There's a panel w/ SPL that uses the tokens.
| search ....... ("$tok1$" "$tok2$" "$tok3$")
The dashboard's user may have one, or two, or all three tokens for which they'd go ahead and input & submit.
When I test with 1 token it seems the panel search returns all events. I reason this is because
"" exists in the search.
| search .......... ("" "[value from token]" "")
I don't know how to write a dashboard where the SPL disregards a token if it has no value and therefore will not return all events.
Thanks in advance for the help.
probably I didn't understand: if you don't insert a value in the text box, you want to not use this token in search, in other words all events, so what's the problem?
Hi @gcusello thanks for your question. Below is the problem pls lmk if this is unclear:
Expected Outcome: only events where provided token(s) exists are returned.
Actual Outcome: all events return even if I specify one token. The aforementioned “all events” don’t even have the provided token in them.
could you share your full search?
If in the search you're using AND (or nothing that's the same thing), only the tokens with value are used in the search.
If instead you are using OR, if one token hasn't a value, all the events are listed.
It seems that you're using AND (
| search ....... ("$tok1$" "$tok2$" "$tok3$") ), please confirm.
@gcusello I think this is IN clause for specific field which would run an OR not AND.
| search field1 IN ("$tok1$","$tok2$","$tok3$")
However, @jsven7 the question is lacking a lot of required details for community to be able to answer your question.
Can you please add the Simple XML code from your text input are the tokens being set directly or through input change event handler?
If they are being set directly then any missing value in the text box will make it null and in turn will not allow search to run. So, are you using default value for text box or change even handler for default value where you are setting null text box value to empty string?
You may also have to provide more details from your panel with search filter query like? What is the data before search filter and after search filter? Please do a sample with mock/anonimization for any sensitive data.
I tried search filter for empty sting and it did not return results with empty string (if you remove the final search there are four rows including one with empty strings.
Following is the search query I tried as per your question. Please feel free to modify the search as per your actual sample data.
| makeresults | fields - _time | eval data="a,b,c,\"\"" | makemv data delim="," | mvexpand data | search data IN ("a","b","")