Splunk Enterprise

Why am I unable to create dropdown static option that is "All" static options combined?

Steve_A200
Path Finder

Hi,

I am trying to get a static option that is "All" the individual static options combined.  The mCode field contains different values in different events, and I would like to list all the events with specific mCode value.

when I paste the query into a regular SPL search, I get the correct results, however, in a Dashboard, it tells me "no results found".

The token I am using for the static options is mcode, and all the individual static options are working correctly:

 

<query>
| multisearch  [ | from datamodel:"model1"  ] [ | from datamodel:"model1" ]
| fields "Action" "pCode" "mCode" "pCode2" 
| search Action="*" pCode="$pCode$" pCode2="*" 
| where mCode IN ("$mCode$")
</query>

 

 

I tried the following mCode Static option: %  ...  * .... even value1","value2","value3 

nothing seems to work in the Dashboard.

Any help would be appreciated.

Labels (2)
Tags (1)
0 Karma
1 Solution

Steve_A200
Path Finder

Thanks for the tip on opening the results into the Panel.

For some reason, the Name field is being used as the value being populated into the SPL query, which is very odd.

I got the results working by entering % in the name field and any character in the value seem to work.

Splunk seems to be ignoring the value field and using only the name field in the dropdown menu, which is a different from the previous entries in the same dropdown menu.

I did manage to get it working for now even though.

Thanks all.

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Is this a single value dropdown?

If you set the value of your 'all' static option to "__ALL__" and then in your where clause do

| where mCode IN ("$mCode$") OR "$mCodes$"="__ALL__"

if it's a single value dropdown, then the IN clause is probably unnecessary, so

| where mCode="$mCode$" OR "$mCodes$"="__ALL__"

 

Steve_A200
Path Finder

Unfortunately it is still not providing me any results when I select All.

The dropdown consist of several static values:

name1  -- value1

name2  -- value2

name3  -- value3

and I want All to combine all the values, so

All  -- value1 and value2 and value3

Thank you

0 Karma

bowesmana
SplunkTrust
SplunkTrust

What does your query look like when you select all? Open the panel results in a new window and see what the search looks like.

Steve_A200
Path Finder

Thanks for the tip on opening the results into the Panel.

For some reason, the Name field is being used as the value being populated into the SPL query, which is very odd.

I got the results working by entering % in the name field and any character in the value seem to work.

Splunk seems to be ignoring the value field and using only the name field in the dropdown menu, which is a different from the previous entries in the same dropdown menu.

I did manage to get it working for now even though.

Thanks all.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...