Splunk Dev

Drilldown for Row not using the field in search if the value for the field is null

psmp
Explorer

I have a Dashboard which returns a table. the Drilldown is selected as Row for this table.

There are 2 rows with DisplayVersion as 2.8.110 and NULL.

When I click on the row with the DisplayVersion as 2.8.11.0, it opens a new window with base query that includes "search "DisplayVersion='2.8.11.0' " and return 223 rows.

But When I click the row with DisplayVersion as NULL, it opens a new window with only the base query and still returns 223 rows.

Ideally it should open the base query + "Search DisplayVersion = "" " and just display one row.

But it is not happening so. Can someone please clarify why?

Image attached for your reference.

alt text

Tags (1)
0 Karma

niketn
Legend

@psmp what is the <drilldown> code that you currently have?
Also would it be possible for you to add one sample data each for version null and version not null?

Which is the query that works fine identifying 1 null version event?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...