Solved: How to include the events even with the not presen...

VatsalJagani · ‎09-04-2020

How to include the events even with the not present field when selecting All in the dashboard?

Explanation:

I have got a dashboard where there are two dropdown inputs. (Ex. Input A and Input B).
Input B is being populated with a lookup with fields like a, b, c, etc.
Now there are some entries in the lookup where field a is not present (null). And all those entries are never visible in the dashboard.
Reason: Query of Input B is like:

| inputlookup mylookup | search a="$tkn_A$" | table b, c

So, even when I select the value "All" (*) for Input A, these values still don't show.

How can I show these values in the filter when "All"(*) is selected in Input A?

ITWhisperer · ‎09-04-2020

Fields with value null do not equate to anything so

...
| search a=*
...

will find all instances where a is not null

Can you change tkn_A so that it includes the a=, something along these lines

...
<eval token="tkn_A">if(someotherfield="*","","a="+someotherfield)</eval>
...

Then change your search to

...
| search $tkn_A$
...

niketn · ‎09-04-2020

@VatsalJagani how about the following

| inputlookup test.csv where a="$tkn_A$" OR b="*"
| fields a b c

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

ITWhisperer · ‎09-04-2020

Fields with value null do not equate to anything so

...
| search a=*
...

will find all instances where a is not null

Can you change tkn_A so that it includes the a=, something along these lines

...
<eval token="tkn_A">if(someotherfield="*","","a="+someotherfield)</eval>
...

Then change your search to

...
| search $tkn_A$
...

VatsalJagani · ‎09-04-2020

Clarifying a bit more:

On change of Input A:

<eval token="tkn_A">if($a$="*"," ","a=".$a$)</eval>

Search Query Change, from: a=$a$ to $tkn_A|s$

How to include the events even with the not present field when selecting All in the dashboard?