- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to handle non existing fields in multi select
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi, I have a dashboard with an input element which is a multi-select with a populating search which gets values for the token. The value prefix is
fieldname="
and value suffix is
"
I also have a default value of * (with label as All)
So when the user selects All, the token value becomes
fieldname="*"
That's a problem. What I really want to mean by All is, get all records with or without "fieldname". The above value filters out the records in which fieldname is null and I don't want that.
How can I tweak this so that:
1. When user chooses All, the token gets empty string as a value (how is it possible since I have a prefix and suffix)
2. OR, when user chooses All, the token gets value as fieldname="*" OR fieldname="" . That will take care of both null and not null situations.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
My Suggestion would be add a "Calculated field" for the fieldname used by multiselect. something like this
props.conf
EVAL-fieldname = coalesce(fieldname,"")
This way your fieldname will either have valid value or will have blanks "" and in both cases fieldname="*" will pick that up.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
This does work. Although I don't have access to props.conf (IT maintained Splunk instance), I am able to use eval command in my search and get this going. Thanks!
Can you make this comment as an answer?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
You can add calculated fields from Splunk UI as well. Go to Settings->Fields -> Calculated fields .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
My Suggestion would be add a "Calculated field" for the fieldname used by multiselect. something like this
props.conf
EVAL-fieldname = coalesce(fieldname,"")
This way your fieldname will either have valid value or will have blanks "" and in both cases fieldname="*" will pick that up.
Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!
Catch Up Now >>
