Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Dashboard drilldown: How to replace "NULL" with isnull(myfield) in a drilldown search?

gunnist
Explorer
‎03-13-2022 07:14 AM

The search behind my chart:

index="myindex" | ... | timechart count by AnimalTypes (the problem is that AnimalTypes sometimes doesn't exist)

My dashboard displays the following Legend:

- cats

- dogs

- NULL (because sometimes AnimalTypes doesn't exist)

 

Drilldown search:

 

index="myindex" | ... | search AnimalTypes=$click.name2$

 

If I click my dashboard for cats or dogs, it works fine , but when I click the NULL barchart, my clickdown search becomes:

 

index="myindex" | .. | search AnimalTypes=NULL

 

(doesn't work)

But it want the search to look like this (which works):

 

index="myindex" | ... | where isnull(AnimalTypes)

 

How do I do this? 🙂

Labels (3)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-14-2022 12:39 AM

In your drilldown, you should evaluate a token dependent on the value of $click.name2$ and use the new token in the search

<eval token="AnimalTypesSearch">if("$click.name2$"="NULL","isnull(AnimalTypes)","AnimalTypes=$click.name2|s$")</eval>

index="myindex" | ... | where $AnimalTypesSearch$

Also note the switch to using where rather than search so that isnull function becomes valid

0 Karma
Reply

maxsteel
Explorer
‎10-06-2022 12:34 PM

@ITWhisperer 

I have a very similar thing going on, I can get the eval in the drilldown to work when I have a static value, however, it does not like when I have a variable in the 'false'
 

in this example it would be the 

"AnimalTypes=$click.name2|s$"

part.  It is not substituting $click.value$ in my case (you have $click.name2|s$) with the value, it is sending the $click. Value$ parameter to the search..

thoughts?

0 Karma
Reply

maxsteel
Explorer
‎10-06-2022 01:06 PM

To help others, I figured it out, the false result to have text and a token looks like:
"AnimalTypes=".$click.value$

Notice the "s around the text and the . (dot) between the token.

0 Karma
Reply

gunnist
Explorer
‎03-18-2022 08:17 AM

Hi,

Thanks, but where do I put the:

"<eval token="AnimalTypesSearch">....."

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-18-2022 08:22 AM

In the drilldown of the panel which you are clicking on.

0 Karma
Reply

somesoni2
Revered Legend
‎03-13-2022 11:59 AM

Give this a try:

Drilldown search:

index="myindex" | ... | where AnimalTypes=if("$click.name2$"="NULL","","$click.name2$")
0 Karma
Reply

gunnist
Explorer
‎03-13-2022 02:36 PM

Then I get  (when I click on the "NULL" legend in the chart):

index="myindex" | ... | where AnimalTypes=if("NULL"="NULL","","NULL")

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...