Splunk Search

How to set default value in query

geetanjali
Path Finder

Hello,

Thanks for your valuable time and help.

I have one view with host drop down and one time chart. I am writing a query according to host selected from drop down and showing graph accordingly.By default my page will remain blank. On "Search" button click, the graph will show.
My query is :

index="test" sourcetype="test_source" host=$host$ | timechart count(LastOccurrence) by Severity

On changing host value and clicking on search button, it will display graph.

But i want to display my graph on page load. With this query, on page load it will display "No result found". because $host$ is null.And want to set $host$ value as "Any".

I have tried : fillnull value=Any in my query. but it is not working.

Please help, if anybody knows the solution. How can i set default value to this $host$ variable.

Thanks in advance,

Geetanjali

Tags (1)

sideview
SplunkTrust
SplunkTrust

You need to give a default value to the host pulldown not to the search directly.

Since it sounds like the host is populated by a search, most likely you're using a SearchSelectLister module. SearchSelectLister does have a 'selected' param, but the first step is to give it an 'Any' option to select. For this you'll need to add the param 'staticFieldsToDisplay'.

<param name="staticFieldsToDisplay">
  <list>
    <param name="label">Any</param>
    <param name="value">*</param>
  </list>
</param>

And actually you dont need to add the 'selected' param, because if there are any staticFieldsToDisplay, it will always default to the first one, even when 'selected' is unset.

Also, if you ever use SearchSelectLister's non-dynamic cousin, the StaticSelect module, it has these same 2 params.

You can always read about the params for any particular module by going to http://<your host and port>/modules

And generally the same content is written up in the docs here: http://www.splunk.com/base/Documentation/4.2.1/Developer/ModuleReference#SearchSelectLister

And I'm guessing that you are not using the Sideview Utils module 'Pulldown' because it will have the 'any' entry by default and you probably wouldnt have asked this question. However Pulldown handles both static and dynamic cases and you may find the Sideview system easier to use because you dont have to use "intentions". Download Sideview Utils and read embedded docs for more detail.

0 Karma

mw
Splunk Employee
Splunk Employee

In the fieldset statement for your view, you can add autoRun and default:

<fieldset autoRun="true" submitButton="false">
  <input token="sourcetype">
    <default>myhost</default>
  </input>
  <input type="time">
    <default>Last 30 days</default>
  </input>
</fieldset>

http://www.splunk.com/base/Documentation/latest/Developer/Step2CustomizeForm

0 Karma

mw
Splunk Employee
Splunk Employee
0 Karma

geetanjali
Path Finder

what will be in advance XML?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...