Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Dashboard drilldown: How to replace "NULL" with isnull(myfield) in a drilldown search?

gunnist
Explorer
‎03-13-2022 07:14 AM

The search behind my chart:

index="myindex" | ... | timechart count by AnimalTypes (the problem is that AnimalTypes sometimes doesn't exist)

My dashboard displays the following Legend:

- cats

- dogs

- NULL (because sometimes AnimalTypes doesn't exist)

 

Drilldown search:

 

index="myindex" | ... | search AnimalTypes=$click.name2$

 

If I click my dashboard for cats or dogs, it works fine , but when I click the NULL barchart, my clickdown search becomes:

 

index="myindex" | .. | search AnimalTypes=NULL

 

(doesn't work)

But it want the search to look like this (which works):

 

index="myindex" | ... | where isnull(AnimalTypes)

 

How do I do this? 🙂

Labels (3)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-14-2022 12:39 AM

In your drilldown, you should evaluate a token dependent on the value of $click.name2$ and use the new token in the search

<eval token="AnimalTypesSearch">if("$click.name2$"="NULL","isnull(AnimalTypes)","AnimalTypes=$click.name2|s$")</eval>

index="myindex" | ... | where $AnimalTypesSearch$

Also note the switch to using where rather than search so that isnull function becomes valid

0 Karma
Reply

maxsteel
Explorer
‎10-06-2022 12:34 PM

@ITWhisperer 

I have a very similar thing going on, I can get the eval in the drilldown to work when I have a static value, however, it does not like when I have a variable in the 'false'
 

in this example it would be the 

"AnimalTypes=$click.name2|s$"

part.  It is not substituting $click.value$ in my case (you have $click.name2|s$) with the value, it is sending the $click. Value$ parameter to the search..

thoughts?

0 Karma
Reply

maxsteel
Explorer
‎10-06-2022 01:06 PM

To help others, I figured it out, the false result to have text and a token looks like:
"AnimalTypes=".$click.value$

Notice the "s around the text and the . (dot) between the token.

0 Karma
Reply

gunnist
Explorer
‎03-18-2022 08:17 AM

Hi,

Thanks, but where do I put the:

"<eval token="AnimalTypesSearch">....."

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-18-2022 08:22 AM

In the drilldown of the panel which you are clicking on.

0 Karma
Reply

somesoni2
Revered Legend
‎03-13-2022 11:59 AM

Give this a try:

Drilldown search:

index="myindex" | ... | where AnimalTypes=if("$click.name2$"="NULL","","$click.name2$")
0 Karma
Reply

gunnist
Explorer
‎03-13-2022 02:36 PM

Then I get  (when I click on the "NULL" legend in the chart):

index="myindex" | ... | where AnimalTypes=if("NULL"="NULL","","NULL")

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...