Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Dashboard drilldown: How to replace "NULL" with isnull(myfield) in a drilldown search?

gunnist
Explorer
‎03-13-2022 07:14 AM

The search behind my chart:

index="myindex" | ... | timechart count by AnimalTypes (the problem is that AnimalTypes sometimes doesn't exist)

My dashboard displays the following Legend:

- cats

- dogs

- NULL (because sometimes AnimalTypes doesn't exist)

 

Drilldown search:

 

index="myindex" | ... | search AnimalTypes=$click.name2$

 

If I click my dashboard for cats or dogs, it works fine , but when I click the NULL barchart, my clickdown search becomes:

 

index="myindex" | .. | search AnimalTypes=NULL

 

(doesn't work)

But it want the search to look like this (which works):

 

index="myindex" | ... | where isnull(AnimalTypes)

 

How do I do this? 🙂

Labels (3)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-14-2022 12:39 AM

In your drilldown, you should evaluate a token dependent on the value of $click.name2$ and use the new token in the search

<eval token="AnimalTypesSearch">if("$click.name2$"="NULL","isnull(AnimalTypes)","AnimalTypes=$click.name2|s$")</eval>

index="myindex" | ... | where $AnimalTypesSearch$

Also note the switch to using where rather than search so that isnull function becomes valid

0 Karma
Reply

maxsteel
Explorer
‎10-06-2022 12:34 PM

@ITWhisperer 

I have a very similar thing going on, I can get the eval in the drilldown to work when I have a static value, however, it does not like when I have a variable in the 'false'
 

in this example it would be the 

"AnimalTypes=$click.name2|s$"

part.  It is not substituting $click.value$ in my case (you have $click.name2|s$) with the value, it is sending the $click. Value$ parameter to the search..

thoughts?

0 Karma
Reply

maxsteel
Explorer
‎10-06-2022 01:06 PM

To help others, I figured it out, the false result to have text and a token looks like:
"AnimalTypes=".$click.value$

Notice the "s around the text and the . (dot) between the token.

0 Karma
Reply

gunnist
Explorer
‎03-18-2022 08:17 AM

Hi,

Thanks, but where do I put the:

"<eval token="AnimalTypesSearch">....."

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-18-2022 08:22 AM

In the drilldown of the panel which you are clicking on.

0 Karma
Reply

somesoni2
Revered Legend
‎03-13-2022 11:59 AM

Give this a try:

Drilldown search:

index="myindex" | ... | where AnimalTypes=if("$click.name2$"="NULL","","$click.name2$")
0 Karma
Reply

gunnist
Explorer
‎03-13-2022 02:36 PM

Then I get  (when I click on the "NULL" legend in the chart):

index="myindex" | ... | where AnimalTypes=if("NULL"="NULL","","NULL")

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...