Getting Data In

How do I make my dashboard filter set include all records with a NULL or no value?

mal81394
New Member

Hi All,

I have a filter set on a dashboard and by default, I have it set to include all values. How do I make it so that it also includes all records with a NULL or no value?

Here's another way to state this: when I select "ALL" in the filter, I want to see all records with or without a value in them. Then, when I select a specific value to filter on, obviously I want to see only records for that value. Below is my multi-select filter.

  <label>Assigned To:</label>
  <default>*</default>
  <choice value="*">All</choice>
  <search>
    <query>
      <![CDATA[index=NIM sourcetype=transaction | dedup group | stats count by group]]>         
    </query>
    <earliest>$TIME.earliest$</earliest>
    <latest>$TIME.latest$</latest>
  </search>
  <delimiter> OR </delimiter>
  <prefix>(</prefix>
  <suffix>)</suffix>
  <valuePrefix>group="</valuePrefix>
  <valueSuffix>"</valueSuffix>
  <fieldForLabel>group</fieldForLabel>
  <fieldForValue>group</fieldForValue>
</input>
0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@mal81394,

Try changing your input section as below, - assuming "group" is your token name.

 <input type="multiselect" token="group">
    <label>Assigned To:</label>
   <default>*</default>
   <choice value="*">All</choice>
   <search>
     <query>
       <![CDATA[index=NIM sourcetype=transaction | dedup group | stats count by group]]>         
     </query>
     <earliest>$TIME.earliest$</earliest>
     <latest>$TIME.latest$</latest>
   </search>
   <delimiter> OR </delimiter>
   <prefix>(</prefix>
   <suffix>)</suffix>
   <valuePrefix>group="</valuePrefix>
   <valueSuffix>"</valueSuffix>
   <fieldForLabel>group</fieldForLabel>
   <fieldForValue>group</fieldForValue>
  <change>
    <condition label="All">
      <set token="group">(group=* OR NOT group="*")</set>
    </condition>
  </change>   
 </input>

Below is a run anywhere example.

<form>
  <label>MultiSelect Dropdown</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="key">
      <label>Assigned To:</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <valuePrefix>key="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <fieldForLabel>key</fieldForLabel>
      <fieldForValue>key</fieldForValue>
      <search>
        <query>|makeresults|eval key="A,B,C,NULL,D"|makemv key delim=","|eval values="A_VALUE,B_VALUE,C_VALUE,NULL_VALUE,D_VALUE"|makemv values delim=","
|eval x=mvzip(key,values)|mvexpand x|table x|eval x=split(x,",")|eval key=mvindex(x,0),values=mvindex(x,1)|fields - x|eval key=if(key=="NULL",null(),key)</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <condition label="All">
          <set token="key">(key=* OR NOT key="*")</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults|eval key="A,B,C,NULL,D"|makemv key delim=","|eval values="A_VALUE,B_VALUE,C_VALUE,NULL_VALUE,D_VALUE"|makemv values delim=","
|eval x=mvzip(key,values)|mvexpand x|table x|eval x=split(x,",")|eval key=mvindex(x,0),values=mvindex(x,1)|fields - x|eval key=if(key=="NULL",null(),key)
|search $key$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@mal81394,

Try changing your input section as below, - assuming "group" is your token name.

 <input type="multiselect" token="group">
    <label>Assigned To:</label>
   <default>*</default>
   <choice value="*">All</choice>
   <search>
     <query>
       <![CDATA[index=NIM sourcetype=transaction | dedup group | stats count by group]]>         
     </query>
     <earliest>$TIME.earliest$</earliest>
     <latest>$TIME.latest$</latest>
   </search>
   <delimiter> OR </delimiter>
   <prefix>(</prefix>
   <suffix>)</suffix>
   <valuePrefix>group="</valuePrefix>
   <valueSuffix>"</valueSuffix>
   <fieldForLabel>group</fieldForLabel>
   <fieldForValue>group</fieldForValue>
  <change>
    <condition label="All">
      <set token="group">(group=* OR NOT group="*")</set>
    </condition>
  </change>   
 </input>

Below is a run anywhere example.

<form>
  <label>MultiSelect Dropdown</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="key">
      <label>Assigned To:</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <valuePrefix>key="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <fieldForLabel>key</fieldForLabel>
      <fieldForValue>key</fieldForValue>
      <search>
        <query>|makeresults|eval key="A,B,C,NULL,D"|makemv key delim=","|eval values="A_VALUE,B_VALUE,C_VALUE,NULL_VALUE,D_VALUE"|makemv values delim=","
|eval x=mvzip(key,values)|mvexpand x|table x|eval x=split(x,",")|eval key=mvindex(x,0),values=mvindex(x,1)|fields - x|eval key=if(key=="NULL",null(),key)</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <condition label="All">
          <set token="key">(key=* OR NOT key="*")</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults|eval key="A,B,C,NULL,D"|makemv key delim=","|eval values="A_VALUE,B_VALUE,C_VALUE,NULL_VALUE,D_VALUE"|makemv values delim=","
|eval x=mvzip(key,values)|mvexpand x|table x|eval x=split(x,",")|eval key=mvindex(x,0),values=mvindex(x,1)|fields - x|eval key=if(key=="NULL",null(),key)
|search $key$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
Happy Splunking!
0 Karma

mal81394
New Member

Thanks so much! This worked perfectly!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...