Solved: How do I make my dashboard filter set include all ...

mal81394 · ‎10-26-2018

Hi All,

I have a filter set on a dashboard and by default, I have it set to include all values. How do I make it so that it also includes all records with a NULL or no value?

Here's another way to state this: when I select "ALL" in the filter, I want to see all records with or without a value in them. Then, when I select a specific value to filter on, obviously I want to see only records for that value. Below is my multi-select filter.

  <label>Assigned To:</label>
  <default>*</default>
  <choice value="*">All</choice>
  <search>
    <query>
      <![CDATA[index=NIM sourcetype=transaction | dedup group | stats count by group]]>         
    </query>
    <earliest>$TIME.earliest$</earliest>
    <latest>$TIME.latest$</latest>
  </search>
  <delimiter> OR </delimiter>
  <prefix>(</prefix>
  <suffix>)</suffix>
  <valuePrefix>group="</valuePrefix>
  <valueSuffix>"</valueSuffix>
  <fieldForLabel>group</fieldForLabel>
  <fieldForValue>group</fieldForValue>
</input>

renjith_nair · ‎10-26-2018

@mal81394,

Try changing your input section as below, - assuming "group" is your token name.

 <input type="multiselect" token="group">
    <label>Assigned To:</label>
   <default>*</default>
   <choice value="*">All</choice>
   <search>
     <query>
       <![CDATA[index=NIM sourcetype=transaction | dedup group | stats count by group]]>         
     </query>
     <earliest>$TIME.earliest$</earliest>
     <latest>$TIME.latest$</latest>
   </search>
   <delimiter> OR </delimiter>
   <prefix>(</prefix>
   <suffix>)</suffix>
   <valuePrefix>group="</valuePrefix>
   <valueSuffix>"</valueSuffix>
   <fieldForLabel>group</fieldForLabel>
   <fieldForValue>group</fieldForValue>
  <change>
    <condition label="All">
      <set token="group">(group=* OR NOT group="*")</set>
    </condition>
  </change>   
 </input>

Below is a run anywhere example.

<form>
  <label>MultiSelect Dropdown</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="key">
      <label>Assigned To:</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <valuePrefix>key="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <fieldForLabel>key</fieldForLabel>
      <fieldForValue>key</fieldForValue>
      <search>
        <query>|makeresults|eval key="A,B,C,NULL,D"|makemv key delim=","|eval values="A_VALUE,B_VALUE,C_VALUE,NULL_VALUE,D_VALUE"|makemv values delim=","
|eval x=mvzip(key,values)|mvexpand x|table x|eval x=split(x,",")|eval key=mvindex(x,0),values=mvindex(x,1)|fields - x|eval key=if(key=="NULL",null(),key)</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <condition label="All">
          <set token="key">(key=* OR NOT key="*")</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults|eval key="A,B,C,NULL,D"|makemv key delim=","|eval values="A_VALUE,B_VALUE,C_VALUE,NULL_VALUE,D_VALUE"|makemv values delim=","
|eval x=mvzip(key,values)|mvexpand x|table x|eval x=split(x,",")|eval key=mvindex(x,0),values=mvindex(x,1)|fields - x|eval key=if(key=="NULL",null(),key)
|search $key$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎10-26-2018

@mal81394,

Try changing your input section as below, - assuming "group" is your token name.

 <input type="multiselect" token="group">
    <label>Assigned To:</label>
   <default>*</default>
   <choice value="*">All</choice>
   <search>
     <query>
       <![CDATA[index=NIM sourcetype=transaction | dedup group | stats count by group]]>         
     </query>
     <earliest>$TIME.earliest$</earliest>
     <latest>$TIME.latest$</latest>
   </search>
   <delimiter> OR </delimiter>
   <prefix>(</prefix>
   <suffix>)</suffix>
   <valuePrefix>group="</valuePrefix>
   <valueSuffix>"</valueSuffix>
   <fieldForLabel>group</fieldForLabel>
   <fieldForValue>group</fieldForValue>
  <change>
    <condition label="All">
      <set token="group">(group=* OR NOT group="*")</set>
    </condition>
  </change>   
 </input>

Below is a run anywhere example.

<form>
  <label>MultiSelect Dropdown</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="key">
      <label>Assigned To:</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <valuePrefix>key="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <fieldForLabel>key</fieldForLabel>
      <fieldForValue>key</fieldForValue>
      <search>
        <query>|makeresults|eval key="A,B,C,NULL,D"|makemv key delim=","|eval values="A_VALUE,B_VALUE,C_VALUE,NULL_VALUE,D_VALUE"|makemv values delim=","
|eval x=mvzip(key,values)|mvexpand x|table x|eval x=split(x,",")|eval key=mvindex(x,0),values=mvindex(x,1)|fields - x|eval key=if(key=="NULL",null(),key)</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <condition label="All">
          <set token="key">(key=* OR NOT key="*")</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults|eval key="A,B,C,NULL,D"|makemv key delim=","|eval values="A_VALUE,B_VALUE,C_VALUE,NULL_VALUE,D_VALUE"|makemv values delim=","
|eval x=mvzip(key,values)|mvexpand x|table x|eval x=split(x,",")|eval key=mvindex(x,0),values=mvindex(x,1)|fields - x|eval key=if(key=="NULL",null(),key)
|search $key$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

---
What goes around comes around. If it helps, hit it with Karma 🙂

mal81394 · ‎10-29-2018

Thanks so much! This worked perfectly!

How do I make my dashboard filter set include all records with a NULL or no value?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases