Splunk Search

How to set default value in query

geetanjali
Path Finder

Hello,

Thanks for your valuable time and help.

I have one view with host drop down and one time chart. I am writing a query according to host selected from drop down and showing graph accordingly.By default my page will remain blank. On "Search" button click, the graph will show.
My query is :

index="test" sourcetype="test_source" host=$host$ | timechart count(LastOccurrence) by Severity

On changing host value and clicking on search button, it will display graph.

But i want to display my graph on page load. With this query, on page load it will display "No result found". because $host$ is null.And want to set $host$ value as "Any".

I have tried : fillnull value=Any in my query. but it is not working.

Please help, if anybody knows the solution. How can i set default value to this $host$ variable.

Thanks in advance,

Geetanjali

Tags (1)

sideview
SplunkTrust
SplunkTrust

You need to give a default value to the host pulldown not to the search directly.

Since it sounds like the host is populated by a search, most likely you're using a SearchSelectLister module. SearchSelectLister does have a 'selected' param, but the first step is to give it an 'Any' option to select. For this you'll need to add the param 'staticFieldsToDisplay'.

<param name="staticFieldsToDisplay">
  <list>
    <param name="label">Any</param>
    <param name="value">*</param>
  </list>
</param>

And actually you dont need to add the 'selected' param, because if there are any staticFieldsToDisplay, it will always default to the first one, even when 'selected' is unset.

Also, if you ever use SearchSelectLister's non-dynamic cousin, the StaticSelect module, it has these same 2 params.

You can always read about the params for any particular module by going to http://<your host and port>/modules

And generally the same content is written up in the docs here: http://www.splunk.com/base/Documentation/4.2.1/Developer/ModuleReference#SearchSelectLister

And I'm guessing that you are not using the Sideview Utils module 'Pulldown' because it will have the 'any' entry by default and you probably wouldnt have asked this question. However Pulldown handles both static and dynamic cases and you may find the Sideview system easier to use because you dont have to use "intentions". Download Sideview Utils and read embedded docs for more detail.

0 Karma

mw
Splunk Employee
Splunk Employee

In the fieldset statement for your view, you can add autoRun and default:

<fieldset autoRun="true" submitButton="false">
  <input token="sourcetype">
    <default>myhost</default>
  </input>
  <input type="time">
    <default>Last 30 days</default>
  </input>
</fieldset>

http://www.splunk.com/base/Documentation/latest/Developer/Step2CustomizeForm

0 Karma

mw
Splunk Employee
Splunk Employee
0 Karma

geetanjali
Path Finder

what will be in advance XML?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...