Dashboards & Visualizations

How to handle non existing fields in multi select

shikhanshu
Path Finder

Hi, I have a dashboard with an input element which is a multi-select with a populating search which gets values for the token. The value prefix is

fieldname=" 

and value suffix is

"

I also have a default value of * (with label as All)

So when the user selects All, the token value becomes

fieldname="*"

That's a problem. What I really want to mean by All is, get all records with or without "fieldname". The above value filters out the records in which fieldname is null and I don't want that.

How can I tweak this so that:
1. When user chooses All, the token gets empty string as a value (how is it possible since I have a prefix and suffix)
2. OR, when user chooses All, the token gets value as fieldname="*" OR fieldname="" . That will take care of both null and not null situations.

Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

My Suggestion would be add a "Calculated field" for the fieldname used by multiselect. something like this

props.conf

EVAL-fieldname = coalesce(fieldname,"")

This way your fieldname will either have valid value or will have blanks "" and in both cases fieldname="*" will pick that up.

View solution in original post

shikhanshu
Path Finder

This does work. Although I don't have access to props.conf (IT maintained Splunk instance), I am able to use eval command in my search and get this going. Thanks!

Can you make this comment as an answer?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can add calculated fields from Splunk UI as well. Go to Settings->Fields -> Calculated fields .

0 Karma

somesoni2
SplunkTrust
SplunkTrust

My Suggestion would be add a "Calculated field" for the fieldname used by multiselect. something like this

props.conf

EVAL-fieldname = coalesce(fieldname,"")

This way your fieldname will either have valid value or will have blanks "" and in both cases fieldname="*" will pick that up.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...