Solved: How to get text input in a dashboard to return any...

snix · ‎02-26-2017

I have a dashboard with a text input that is assigned to a field in a saved search with a default * entered into it

Text input example:

<input type="text" token="DashboardInput_UserName" searchWhenChanged="true">
<label>User Name</label>
<default>*</default>
<initialValue>*</initialValue>
</input>

Search Example:

<query>index=iis ExternalUserName="$DashboarInput_UserName$"
</query>

The issue is I want it to by default show me every event but when you use a wildcard * as a default you get everything but null values and I will need the null values as well. Is this possible?

snix · ‎02-27-2017

Okay looks like I got a workaround that gets the result I am looking for. Instead of trying to find fields with actual values and null values, just fill in the null values with something like a - by using this command:

fillnull value=-

After I did that I was able to find all events by just using *

View solution in original post

snix · ‎02-27-2017

Okay looks like I got a workaround that gets the result I am looking for. Instead of trying to find fields with actual values and null values, just fill in the null values with something like a - by using this command:

fillnull value=-

After I did that I was able to find all events by just using *

How to get text input in a dashboard to return any result including null by default when assigned to a field in a saved search?

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

How to get text input in a dashboard to return any result including null by default when assigned to a field in a saved search?

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR