Dashboards & Visualizations

How to exclude specific option from all option in dynamic drop-down?

juvenile
Loves-to-Learn
<input id="select_abc" type="multiselect" token="token_abc" searchWhenChanged="true">
    <label>ABC&#8205;</label>

    <default>*</default>

    <prefix>(</prefix>
    <suffix>)</suffix>
    <valuePrefix>"</valuePrefix>
    <valueSuffix>"</valueSuffix>

    <choice value="*">All</choice>
    <search base="base_search">
        <query>
            | stats count as count by some_field
            | sort 0 - count
        </query>
    </search>
    <fieldForLabel>some_field</fieldForLabel>
    <fieldForValue>some_field</fieldForValue>

    <delimiter>,</delimiter>

    <change>
        <condition label="All">
            <set token="token_abc">("*") AND some_field != "SomeArbitraryStringValue"</set>
        </condition>
    </change>
</input>

I was wondering how I can exclude a specific option from the asterisk (*) value of the "All" option? Also, how does it work with parantheses and also exlcuding it from the default value?

Thank you

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @juvenile ,

create a more complicated value for All, e.g. if you want to exclude events with some_field="xxx":

<input id="select_abc" type="multiselect" token="token_abc" searchWhenChanged="true">
    <label>ABC&#8205;</label>

    <default>*</default>
    <prefix>(</prefix>
    <suffix>)</suffix>
    <choice value=* AND NOT some_field="SomeArbitraryStringValue">All</choice>
    <search base="base_search">
        <query>
            | stats count as count by some_field
            | sort 0 - count
        </query>
    </search>
    <fieldForLabel>some_field</fieldForLabel>
    <fieldForValue>some_field</fieldForValue>
</input>

Please adapt this solution to your requirements.

Ciao.

Giuseppe

0 Karma

juvenile
Loves-to-Learn

Hi @gcusello , thank you for your answer. What about the default value?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @juvenile ,

as you like: the same of All or one of the dinamic values.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...