Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Dashboard drilldown: How to replace "NULL" with isnull(myfield) in a drilldown search?

gunnist
Explorer
‎03-13-2022 07:14 AM

The search behind my chart:

index="myindex" | ... | timechart count by AnimalTypes (the problem is that AnimalTypes sometimes doesn't exist)

My dashboard displays the following Legend:

- cats

- dogs

- NULL (because sometimes AnimalTypes doesn't exist)

 

Drilldown search:

 

index="myindex" | ... | search AnimalTypes=$click.name2$

 

If I click my dashboard for cats or dogs, it works fine , but when I click the NULL barchart, my clickdown search becomes:

 

index="myindex" | .. | search AnimalTypes=NULL

 

(doesn't work)

But it want the search to look like this (which works):

 

index="myindex" | ... | where isnull(AnimalTypes)

 

How do I do this? 🙂

Labels (3)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-14-2022 12:39 AM

In your drilldown, you should evaluate a token dependent on the value of $click.name2$ and use the new token in the search

<eval token="AnimalTypesSearch">if("$click.name2$"="NULL","isnull(AnimalTypes)","AnimalTypes=$click.name2|s$")</eval>

index="myindex" | ... | where $AnimalTypesSearch$

Also note the switch to using where rather than search so that isnull function becomes valid

0 Karma
Reply

maxsteel
Explorer
‎10-06-2022 12:34 PM

@ITWhisperer 

I have a very similar thing going on, I can get the eval in the drilldown to work when I have a static value, however, it does not like when I have a variable in the 'false'
 

in this example it would be the 

"AnimalTypes=$click.name2|s$"

part.  It is not substituting $click.value$ in my case (you have $click.name2|s$) with the value, it is sending the $click. Value$ parameter to the search..

thoughts?

0 Karma
Reply

maxsteel
Explorer
‎10-06-2022 01:06 PM

To help others, I figured it out, the false result to have text and a token looks like:
"AnimalTypes=".$click.value$

Notice the "s around the text and the . (dot) between the token.

0 Karma
Reply

gunnist
Explorer
‎03-18-2022 08:17 AM

Hi,

Thanks, but where do I put the:

"<eval token="AnimalTypesSearch">....."

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-18-2022 08:22 AM

In the drilldown of the panel which you are clicking on.

0 Karma
Reply

somesoni2
Revered Legend
‎03-13-2022 11:59 AM

Give this a try:

Drilldown search:

index="myindex" | ... | where AnimalTypes=if("$click.name2$"="NULL","","$click.name2$")
0 Karma
Reply

gunnist
Explorer
‎03-13-2022 02:36 PM

Then I get  (when I click on the "NULL" legend in the chart):

index="myindex" | ... | where AnimalTypes=if("NULL"="NULL","","NULL")

0 Karma
Reply
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...