Getting Data In

How do I make my dashboard filter set include all records with a NULL or no value?

mal81394
New Member

Hi All,

I have a filter set on a dashboard and by default, I have it set to include all values. How do I make it so that it also includes all records with a NULL or no value?

Here's another way to state this: when I select "ALL" in the filter, I want to see all records with or without a value in them. Then, when I select a specific value to filter on, obviously I want to see only records for that value. Below is my multi-select filter.

  <label>Assigned To:</label>
  <default>*</default>
  <choice value="*">All</choice>
  <search>
    <query>
      <![CDATA[index=NIM sourcetype=transaction | dedup group | stats count by group]]>         
    </query>
    <earliest>$TIME.earliest$</earliest>
    <latest>$TIME.latest$</latest>
  </search>
  <delimiter> OR </delimiter>
  <prefix>(</prefix>
  <suffix>)</suffix>
  <valuePrefix>group="</valuePrefix>
  <valueSuffix>"</valueSuffix>
  <fieldForLabel>group</fieldForLabel>
  <fieldForValue>group</fieldForValue>
</input>
0 Karma
1 Solution

renjith_nair
Legend

@mal81394,

Try changing your input section as below, - assuming "group" is your token name.

 <input type="multiselect" token="group">
    <label>Assigned To:</label>
   <default>*</default>
   <choice value="*">All</choice>
   <search>
     <query>
       <![CDATA[index=NIM sourcetype=transaction | dedup group | stats count by group]]>         
     </query>
     <earliest>$TIME.earliest$</earliest>
     <latest>$TIME.latest$</latest>
   </search>
   <delimiter> OR </delimiter>
   <prefix>(</prefix>
   <suffix>)</suffix>
   <valuePrefix>group="</valuePrefix>
   <valueSuffix>"</valueSuffix>
   <fieldForLabel>group</fieldForLabel>
   <fieldForValue>group</fieldForValue>
  <change>
    <condition label="All">
      <set token="group">(group=* OR NOT group="*")</set>
    </condition>
  </change>   
 </input>

Below is a run anywhere example.

<form>
  <label>MultiSelect Dropdown</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="key">
      <label>Assigned To:</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <valuePrefix>key="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <fieldForLabel>key</fieldForLabel>
      <fieldForValue>key</fieldForValue>
      <search>
        <query>|makeresults|eval key="A,B,C,NULL,D"|makemv key delim=","|eval values="A_VALUE,B_VALUE,C_VALUE,NULL_VALUE,D_VALUE"|makemv values delim=","
|eval x=mvzip(key,values)|mvexpand x|table x|eval x=split(x,",")|eval key=mvindex(x,0),values=mvindex(x,1)|fields - x|eval key=if(key=="NULL",null(),key)</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <condition label="All">
          <set token="key">(key=* OR NOT key="*")</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults|eval key="A,B,C,NULL,D"|makemv key delim=","|eval values="A_VALUE,B_VALUE,C_VALUE,NULL_VALUE,D_VALUE"|makemv values delim=","
|eval x=mvzip(key,values)|mvexpand x|table x|eval x=split(x,",")|eval key=mvindex(x,0),values=mvindex(x,1)|fields - x|eval key=if(key=="NULL",null(),key)
|search $key$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma

renjith_nair
Legend

@mal81394,

Try changing your input section as below, - assuming "group" is your token name.

 <input type="multiselect" token="group">
    <label>Assigned To:</label>
   <default>*</default>
   <choice value="*">All</choice>
   <search>
     <query>
       <![CDATA[index=NIM sourcetype=transaction | dedup group | stats count by group]]>         
     </query>
     <earliest>$TIME.earliest$</earliest>
     <latest>$TIME.latest$</latest>
   </search>
   <delimiter> OR </delimiter>
   <prefix>(</prefix>
   <suffix>)</suffix>
   <valuePrefix>group="</valuePrefix>
   <valueSuffix>"</valueSuffix>
   <fieldForLabel>group</fieldForLabel>
   <fieldForValue>group</fieldForValue>
  <change>
    <condition label="All">
      <set token="group">(group=* OR NOT group="*")</set>
    </condition>
  </change>   
 </input>

Below is a run anywhere example.

<form>
  <label>MultiSelect Dropdown</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="key">
      <label>Assigned To:</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <valuePrefix>key="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <fieldForLabel>key</fieldForLabel>
      <fieldForValue>key</fieldForValue>
      <search>
        <query>|makeresults|eval key="A,B,C,NULL,D"|makemv key delim=","|eval values="A_VALUE,B_VALUE,C_VALUE,NULL_VALUE,D_VALUE"|makemv values delim=","
|eval x=mvzip(key,values)|mvexpand x|table x|eval x=split(x,",")|eval key=mvindex(x,0),values=mvindex(x,1)|fields - x|eval key=if(key=="NULL",null(),key)</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <condition label="All">
          <set token="key">(key=* OR NOT key="*")</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults|eval key="A,B,C,NULL,D"|makemv key delim=","|eval values="A_VALUE,B_VALUE,C_VALUE,NULL_VALUE,D_VALUE"|makemv values delim=","
|eval x=mvzip(key,values)|mvexpand x|table x|eval x=split(x,",")|eval key=mvindex(x,0),values=mvindex(x,1)|fields - x|eval key=if(key=="NULL",null(),key)
|search $key$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

mal81394
New Member

Thanks so much! This worked perfectly!

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...