Hello everybody,
In my dashboard i have two input fields
Primary_field =*
Secondary field=*
my current search looks like
index=* ip=$primary_filed_value$
I want extend it with the secondary field.
But if write my search like
index=\* ip=$primary_filed_value$ user=$secondary_filed_value$
and the *$secondary_filed_value$ = **
i get ONLY the results where user != NULL
But i need everything
ip
1.1.1.1 alex
1.1.1.1 bill
1.1.1.1 NULL
Any ideas?
you could load the user field with values so that there never is a NULL
index=* ip=$primary_filed_value$
| eval user = if(length(user)>0,user,"none")
| search user=$secondary_filed_value$
you could load the user field with values so that there never is a NULL
index=* ip=$primary_filed_value$
| eval user = if(length(user)>0,user,"none")
| search user=$secondary_filed_value$
@alex_kh,
Try adding
user="*" OR NOT user="*"
Here is a run anywhere example with inputs and tokens covering both empty and null
<form>
<label>Adding Null when selecting All</label>
<fieldset submitButton="false">
<input type="dropdown" token="username">
<label>UserName</label>
<choice value="*">All</choice>
<choice value="admin">Admin</choice>
<default>*</default>
<initialValue>*</initialValue>
<change>
<condition label="All">
<set token="username">"*" OR NOT user="*"</set>
</condition>
</change>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>|makeresults|eval user="admin,nonadmin,EMPTY,NULL"|makemv user delim=","
|mvexpand user|eval user=if(user="NULL",null(),user)
|replace EMPTY with ""
|search user=$username$</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
first search is obviously index=* bla bla bla