Splunk Enterprise

Why am I unable to create dropdown static option that is "All" static options combined?

Steve_A200
Path Finder

Hi,

I am trying to get a static option that is "All" the individual static options combined.  The mCode field contains different values in different events, and I would like to list all the events with specific mCode value.

when I paste the query into a regular SPL search, I get the correct results, however, in a Dashboard, it tells me "no results found".

The token I am using for the static options is mcode, and all the individual static options are working correctly:

 

<query>
| multisearch  [ | from datamodel:"model1"  ] [ | from datamodel:"model1" ]
| fields "Action" "pCode" "mCode" "pCode2" 
| search Action="*" pCode="$pCode$" pCode2="*" 
| where mCode IN ("$mCode$")
</query>

 

 

I tried the following mCode Static option: %  ...  * .... even value1","value2","value3 

nothing seems to work in the Dashboard.

Any help would be appreciated.

Labels (2)
Tags (1)
0 Karma
1 Solution

Steve_A200
Path Finder

Thanks for the tip on opening the results into the Panel.

For some reason, the Name field is being used as the value being populated into the SPL query, which is very odd.

I got the results working by entering % in the name field and any character in the value seem to work.

Splunk seems to be ignoring the value field and using only the name field in the dropdown menu, which is a different from the previous entries in the same dropdown menu.

I did manage to get it working for now even though.

Thanks all.

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Is this a single value dropdown?

If you set the value of your 'all' static option to "__ALL__" and then in your where clause do

| where mCode IN ("$mCode$") OR "$mCodes$"="__ALL__"

if it's a single value dropdown, then the IN clause is probably unnecessary, so

| where mCode="$mCode$" OR "$mCodes$"="__ALL__"

 

Steve_A200
Path Finder

Unfortunately it is still not providing me any results when I select All.

The dropdown consist of several static values:

name1  -- value1

name2  -- value2

name3  -- value3

and I want All to combine all the values, so

All  -- value1 and value2 and value3

Thank you

0 Karma

bowesmana
SplunkTrust
SplunkTrust

What does your query look like when you select all? Open the panel results in a new window and see what the search looks like.

Steve_A200
Path Finder

Thanks for the tip on opening the results into the Panel.

For some reason, the Name field is being used as the value being populated into the SPL query, which is very odd.

I got the results working by entering % in the name field and any character in the value seem to work.

Splunk seems to be ignoring the value field and using only the name field in the dropdown menu, which is a different from the previous entries in the same dropdown menu.

I did manage to get it working for now even though.

Thanks all.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...