Hi Experts,
I have changed the blank value in a drop down with a string . So for drop down query is
<input type="dropdown" token="act" searchWhenChanged="false">
<label>Action</label>
<default>*</default>
<choice value="*">All</choice>
<search>
<query>index=test |eval act = if(isnull(Action) OR Action="", "Unknown", Action)|dedup act</query>
</search>
<fieldForLabel>act</fieldForLabel>
<fieldForValue>act</fieldForValue>
</input>
Now based on this drop down selection I am displaying a table .
My Problem is
Things are working fine for all other options except when I select Unknown in the drop down . So the table query is
Please help me to resolve this .
<table>
<title></title>
<search>
<query>index=test Action=$act$| stats count by Action,src,dst,proto,Protocol,s_port| sort - count | fields Action,src,s_port,dst,Protocol,count|rename count as "Hits"</query>
<earliest>$time_display.earliest$</earliest>
<latest>$time_display.latest$</latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">true</option>
<option name="drilldown">none</option>
<option name="count">10</option>
</table>
Thanks
VG
Hi vikas_gopal,
you have to make the reverse transformation:
index=test Action=$act$
| eval Action = if(act="Unknown","",Action)
| stats count by Action,src,dst,proto,Protocol,s_port
| sort - count
| fields Action,src,s_port,dst,Protocol,count
|rename count as "Hits"
Bye.
Giuseppe
Hi vikas_gopal,
you have to make the reverse transformation:
index=test Action=$act$
| eval Action = if(act="Unknown","",Action)
| stats count by Action,src,dst,proto,Protocol,s_port
| sort - count
| fields Action,src,s_port,dst,Protocol,count
|rename count as "Hits"
Bye.
Giuseppe
Even I tried this but no luck
index=test |eval act = if(isnull(Action) OR Action="", "Unknown", Action)|search act=$act$| stats count by Action,src,dst,proto,Protocol,s_port| sort - count | fields Action,src,s_port,dst,Protocol,count