Splunk Enterprise Security

Omit Token Value from Results on 1 Panel

Path Finder

I'm have a dashboard with multiple panels, some of which provide hostnames and others that do not (some coming from AD and others coming from routers). I have text search boxes that tie to all the panels and populate data when it's available.

My question is, how do I omit results in a panel that looks at router logs and therefore doesn't have a hostname? Currently, if I do a search from a hostname, the panel running a search on router logs just pulls up all router logs. If someone searches for a hostname, I just want the panel that searches router logs to say 'no results found". All the table results except IP come from an Automatic Lookup populated by a Lookup file.

Below is the dashboard panel search string.

index=__sec_fw sourcetype=cisco:asa host IN ("router1", "router2") src_ip IN (,,,,,
| rename src_ip AS IP
| search IP="$ip$"
| table "IP", Location, Location_Additional, Floor, _time

0 Karma


hi @chrisschum - Not very clear to me.
You have a drop down input with host names?
If so, what is the expected result if user selects router1 from the drop down?
If you mean to say the result should be - no results found , then when should this query execute?
It is a bit confusing , can you throw some more clarity on your requirements?

0 Karma

Path Finder

I apologize it's taken me so long to respond.

Actually, it turns out I don't need to do it this way anymore as the needs change.

Thanks for responding!

0 Karma


@chrisschum if you can add the summary or overview of what you have done to resolve your issue as an answer and accept the same then it would be great so that the question is marked as answered and may assist other facing similar issue.

| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

@niketnilay I completely understand, but the thing is the issue wasn't resolved. I just went a different direction with the dashboard. I simply made everyone who uses it (just a handful of people) aware that if they weren't searching an IP, to ignore the panels with IP information. I just worked around it.


0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...