Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Dashboard drilldown: How to replace "NULL" with isnull(myfield) in a drilldown search?

gunnist
Explorer
‎03-13-2022 07:14 AM

The search behind my chart:

index="myindex" | ... | timechart count by AnimalTypes (the problem is that AnimalTypes sometimes doesn't exist)

My dashboard displays the following Legend:

- cats

- dogs

- NULL (because sometimes AnimalTypes doesn't exist)

 

Drilldown search:

 

index="myindex" | ... | search AnimalTypes=$click.name2$

 

If I click my dashboard for cats or dogs, it works fine , but when I click the NULL barchart, my clickdown search becomes:

 

index="myindex" | .. | search AnimalTypes=NULL

 

(doesn't work)

But it want the search to look like this (which works):

 

index="myindex" | ... | where isnull(AnimalTypes)

 

How do I do this? 🙂

Labels (3)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-14-2022 12:39 AM

In your drilldown, you should evaluate a token dependent on the value of $click.name2$ and use the new token in the search

<eval token="AnimalTypesSearch">if("$click.name2$"="NULL","isnull(AnimalTypes)","AnimalTypes=$click.name2|s$")</eval>

index="myindex" | ... | where $AnimalTypesSearch$

Also note the switch to using where rather than search so that isnull function becomes valid

0 Karma
Reply

maxsteel
Explorer
‎10-06-2022 12:34 PM

@ITWhisperer 

I have a very similar thing going on, I can get the eval in the drilldown to work when I have a static value, however, it does not like when I have a variable in the 'false'
 

in this example it would be the 

"AnimalTypes=$click.name2|s$"

part.  It is not substituting $click.value$ in my case (you have $click.name2|s$) with the value, it is sending the $click. Value$ parameter to the search..

thoughts?

0 Karma
Reply

maxsteel
Explorer
‎10-06-2022 01:06 PM

To help others, I figured it out, the false result to have text and a token looks like:
"AnimalTypes=".$click.value$

Notice the "s around the text and the . (dot) between the token.

0 Karma
Reply

gunnist
Explorer
‎03-18-2022 08:17 AM

Hi,

Thanks, but where do I put the:

"<eval token="AnimalTypesSearch">....."

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-18-2022 08:22 AM

In the drilldown of the panel which you are clicking on.

0 Karma
Reply

somesoni2
Revered Legend
‎03-13-2022 11:59 AM

Give this a try:

Drilldown search:

index="myindex" | ... | where AnimalTypes=if("$click.name2$"="NULL","","$click.name2$")
0 Karma
Reply

gunnist
Explorer
‎03-13-2022 02:36 PM

Then I get  (when I click on the "NULL" legend in the chart):

index="myindex" | ... | where AnimalTypes=if("NULL"="NULL","","NULL")

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
li.common.scroll-to.top