Getting Data In

How do I make my dashboard filter set include all records with a NULL or no value?

mal81394
New Member

Hi All,

I have a filter set on a dashboard and by default, I have it set to include all values. How do I make it so that it also includes all records with a NULL or no value?

Here's another way to state this: when I select "ALL" in the filter, I want to see all records with or without a value in them. Then, when I select a specific value to filter on, obviously I want to see only records for that value. Below is my multi-select filter.

  <label>Assigned To:</label>
  <default>*</default>
  <choice value="*">All</choice>
  <search>
    <query>
      <![CDATA[index=NIM sourcetype=transaction | dedup group | stats count by group]]>         
    </query>
    <earliest>$TIME.earliest$</earliest>
    <latest>$TIME.latest$</latest>
  </search>
  <delimiter> OR </delimiter>
  <prefix>(</prefix>
  <suffix>)</suffix>
  <valuePrefix>group="</valuePrefix>
  <valueSuffix>"</valueSuffix>
  <fieldForLabel>group</fieldForLabel>
  <fieldForValue>group</fieldForValue>
</input>
0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@mal81394,

Try changing your input section as below, - assuming "group" is your token name.

 <input type="multiselect" token="group">
    <label>Assigned To:</label>
   <default>*</default>
   <choice value="*">All</choice>
   <search>
     <query>
       <![CDATA[index=NIM sourcetype=transaction | dedup group | stats count by group]]>         
     </query>
     <earliest>$TIME.earliest$</earliest>
     <latest>$TIME.latest$</latest>
   </search>
   <delimiter> OR </delimiter>
   <prefix>(</prefix>
   <suffix>)</suffix>
   <valuePrefix>group="</valuePrefix>
   <valueSuffix>"</valueSuffix>
   <fieldForLabel>group</fieldForLabel>
   <fieldForValue>group</fieldForValue>
  <change>
    <condition label="All">
      <set token="group">(group=* OR NOT group="*")</set>
    </condition>
  </change>   
 </input>

Below is a run anywhere example.

<form>
  <label>MultiSelect Dropdown</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="key">
      <label>Assigned To:</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <valuePrefix>key="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <fieldForLabel>key</fieldForLabel>
      <fieldForValue>key</fieldForValue>
      <search>
        <query>|makeresults|eval key="A,B,C,NULL,D"|makemv key delim=","|eval values="A_VALUE,B_VALUE,C_VALUE,NULL_VALUE,D_VALUE"|makemv values delim=","
|eval x=mvzip(key,values)|mvexpand x|table x|eval x=split(x,",")|eval key=mvindex(x,0),values=mvindex(x,1)|fields - x|eval key=if(key=="NULL",null(),key)</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <condition label="All">
          <set token="key">(key=* OR NOT key="*")</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults|eval key="A,B,C,NULL,D"|makemv key delim=","|eval values="A_VALUE,B_VALUE,C_VALUE,NULL_VALUE,D_VALUE"|makemv values delim=","
|eval x=mvzip(key,values)|mvexpand x|table x|eval x=split(x,",")|eval key=mvindex(x,0),values=mvindex(x,1)|fields - x|eval key=if(key=="NULL",null(),key)
|search $key$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@mal81394,

Try changing your input section as below, - assuming "group" is your token name.

 <input type="multiselect" token="group">
    <label>Assigned To:</label>
   <default>*</default>
   <choice value="*">All</choice>
   <search>
     <query>
       <![CDATA[index=NIM sourcetype=transaction | dedup group | stats count by group]]>         
     </query>
     <earliest>$TIME.earliest$</earliest>
     <latest>$TIME.latest$</latest>
   </search>
   <delimiter> OR </delimiter>
   <prefix>(</prefix>
   <suffix>)</suffix>
   <valuePrefix>group="</valuePrefix>
   <valueSuffix>"</valueSuffix>
   <fieldForLabel>group</fieldForLabel>
   <fieldForValue>group</fieldForValue>
  <change>
    <condition label="All">
      <set token="group">(group=* OR NOT group="*")</set>
    </condition>
  </change>   
 </input>

Below is a run anywhere example.

<form>
  <label>MultiSelect Dropdown</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="key">
      <label>Assigned To:</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <valuePrefix>key="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <fieldForLabel>key</fieldForLabel>
      <fieldForValue>key</fieldForValue>
      <search>
        <query>|makeresults|eval key="A,B,C,NULL,D"|makemv key delim=","|eval values="A_VALUE,B_VALUE,C_VALUE,NULL_VALUE,D_VALUE"|makemv values delim=","
|eval x=mvzip(key,values)|mvexpand x|table x|eval x=split(x,",")|eval key=mvindex(x,0),values=mvindex(x,1)|fields - x|eval key=if(key=="NULL",null(),key)</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <condition label="All">
          <set token="key">(key=* OR NOT key="*")</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults|eval key="A,B,C,NULL,D"|makemv key delim=","|eval values="A_VALUE,B_VALUE,C_VALUE,NULL_VALUE,D_VALUE"|makemv values delim=","
|eval x=mvzip(key,values)|mvexpand x|table x|eval x=split(x,",")|eval key=mvindex(x,0),values=mvindex(x,1)|fields - x|eval key=if(key=="NULL",null(),key)
|search $key$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
Happy Splunking!
0 Karma

mal81394
New Member

Thanks so much! This worked perfectly!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...