Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the most efficient way to use dashboard tokens for filtering?

bcarr12
Path Finder
‎05-15-2018 08:42 AM

I have a dashboard where I am using tokens to filter the results of the individual panels. The use case for the filters are:

Token=anything (*)
Token=specific_value
Token=anything BUT specific_value

I have the first two tested and working, but can't seem to figure out the best way to account for the 3rd scenario. I have been incorporating the token into my searches by using:

| fillnull value=NULL field (this ensures value will always be equal to something, even when not in an event) | search field=$token$

This works great for scenario 1 and 2 but obviously there is no way (I think?) to leverage field=value when in the last case I want to do the opposite (!=). Is there a better way to leverage the token in my search so I will be able to filter based on all three scenarios? All values, specific value, everything NOT specific value?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-15-2018 08:47 AM

Your token should include the condition you want to check, including the field name, and then just use the token value in the search. e.g.

Token=>field=*
Token=>field=specific_value
Token=field!=specific_value

And your search should be like

| fillnull value=NULL field (this ensures value will always be equal to something, even when not in an event) | search $token$

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-15-2018 08:47 AM

Your token should include the condition you want to check, including the field name, and then just use the token value in the search. e.g.

Token=>field=*
Token=>field=specific_value
Token=field!=specific_value

And your search should be like

| fillnull value=NULL field (this ensures value will always be equal to something, even when not in an event) | search $token$
0 Karma
Reply
Solved! Jump to solution

bcarr12
Path Finder
‎05-15-2018 09:28 AM

I wish there was a facepalm emoji available so I could use it 🙂

I never even considered the option of using the token to specify the entire condition, I always thought it could only be used to specify a specific value. All good, this did the trick!

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎05-15-2018 09:30 AM

@bcarr12 if your issue is resolved please accept the answer to mark this question as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...