Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to handle non existing fields in multi select
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
shikhanshu
Path Finder
12-09-2014
03:23 PM
Hi, I have a dashboard with an input element which is a multi-select with a populating search which gets values for the token. The value prefix is
fieldname="
and value suffix is
"
I also have a default value of * (with label as All)
So when the user selects All, the token value becomes
fieldname="*"
That's a problem. What I really want to mean by All is, get all records with or without "fieldname". The above value filters out the records in which fieldname is null and I don't want that.
How can I tweak this so that:
1. When user chooses All, the token gets empty string as a value (how is it possible since I have a prefix and suffix)
2. OR, when user chooses All, the token gets value as fieldname="*" OR fieldname="" . That will take care of both null and not null situations.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-09-2014
04:45 PM
My Suggestion would be add a "Calculated field" for the fieldname used by multiselect. something like this
props.conf
EVAL-fieldname = coalesce(fieldname,"")
This way your fieldname will either have valid value or will have blanks "" and in both cases fieldname="*" will pick that up.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
shikhanshu
Path Finder
12-10-2014
12:18 PM
This does work. Although I don't have access to props.conf (IT maintained Splunk instance), I am able to use eval command in my search and get this going. Thanks!
Can you make this comment as an answer?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-10-2014
12:35 PM
You can add calculated fields from Splunk UI as well. Go to Settings->Fields -> Calculated fields .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-09-2014
04:45 PM
My Suggestion would be add a "Calculated field" for the fieldname used by multiselect. something like this
props.conf
EVAL-fieldname = coalesce(fieldname,"")
This way your fieldname will either have valid value or will have blanks "" and in both cases fieldname="*" will pick that up.
Get Updates on the Splunk Community!
Enhance Your Splunk App Development: New Tools & Support
UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
