Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit my dashboard to ignore null fields not selected in a checkbox?

sperl
New Member
‎03-16-2017 10:49 AM

In my dashboard, I have a set of values I am trying to select via checkboxes. However - I may only have values in one of the checkbox lists.

If any of the inputs are null, the search is malformed, and doesn't work. How can I either ignore the NULL field, or merge the results cleanly to search?

<form>
  <label>Dashboard</label>
  <description>Dashboard</description>
  <fieldset submitButton="true">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>@d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="checkbox" token="field2">
      <label>NY Hosts</label>
      <choice value="aa">aa</choice>
      <choice value="bb">bb</choice>
      <delimiter> OR </delimiter>
      <valuePrefix>Host=</valuePrefix>
    </input>
    <input type="checkbox" token="field3">
      <label>UK Hosts</label>
      <choice value="cc">cc</choice>
      <choice value="dd">dd</choice>
      <choice value="ee">ee</choice>
      <delimiter> OR </delimiter>
      <valuePrefix>Host=</valuePrefix>
    </input>
    <input type="checkbox" token="field4">
      <label>HK Hosts</label>
      <choice value="ff">ff</choice>
      <choice value="gg">gg</choice>
      <delimiter> OR </delimiter>
      <valuePrefix>Host=</valuePrefix>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <title>Graph1</title>
        <search>
          <query>index=index  $field2$ OR $field3$ OR $field4$ |timechart min(Value) by Host limit=0</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
</chart>
</panel>
</row>
Tags (3)
0 Karma
Reply

rjthibod
Champion
‎03-17-2017 06:14 AM

There is no workaround to your problem (the token value for a checkbox group is always undefined if you have no values selected) without using a different type of input and/or using a complicated JavaScript filtering mechanism.

One work around would be using a multiselect input. I would suggest consolidating all of the options into one input, and you could prepend the values with the location prefix. The result would look like the following.

     <input searchWhenChanged="false" token="host_filter" type="multiselect">
       <choice value="*">All</choice>
       <choice value="aa">NY: aa</choice>
       <choice value="bb">NY: bb</choice>
       <choice value="cc">UK: cc</choice>
       <choice value="dd">UK: dd</choice>
       <choice value="ee">UK: ee</choice>
       <choice value="ff">HK: ff</choice>
       <choice value="gg">HK: gg</choice>
       <delimiter> OR </delimiter>
       <valuePrefix>Host="</valuePrefix>
       <valueSuffix>"</valueSuffix>
       <prefix>(</prefix>
       <suffix>)</suffix>
       <default>*</default>
     </input>

And then using it in the search like this

index=index $host_filter$ |timechart min(Value) by Host limit=0</query>

0 Karma
Reply

sperl
New Member
‎03-17-2017 06:18 AM

Thank you - is there a way to put the various types in different columns?

I trimmed this for posting, but I can have 6-12 items in each of the multi-select lists, so when it appears as one long column - it becomes very unwieldy.

In other searches I saw using a module name="ValueSetter", but that appeared to be a quite different format than the dashboard xml I'm familiar with.

0 Karma
Reply

rjthibod
Champion
‎03-17-2017 07:01 AM

It is possible to split up, but things will get much more complicated. The issue is there is no clean way to specify "None" for one location/region without adding some specialized filtering. What you would have to do is something like this.

      <input searchWhenChanged="false" token="host_filter_ny" type="multiselect">
        <label>NY Hosts</label>
        <choice value="!!!none!!!">None</choice>
        <choice value="aa">aa</choice>
        <choice value="bb">bb</choice>
        <delimiter>;</delimiter>
      </input>
      <input searchWhenChanged="false" token="host_filter_uk" type="multiselect">
        <label>UK Hosts</label>
        <choice value="!!!none!!!">None</choice>
        <choice value="cc">cc</choice>
        <choice value="dd">dd</choice>
        <choice value="ee">ee</choice>
        <delimiter>;</delimiter>
      </input>
      <input searchWhenChanged="false" token="host_filter_hk" type="multiselect">
        <label>HK Hosts</label>
        <choice value="!!!none!!!">None</choice>
        <choice value="ff">ff</choice>
        <choice value="gg">gg</choice>
        <delimiter>;</delimiter>
      </input>

And then specialized logic to filter out any inputs if it includes the None option

index=index 
[
    | gentimes start=-1 
    | eval hostny = "$host_filter_ny$"
    | eval hostuk = "$host_filter_uky$"" 
    | eval hosthk = "$host_filter_hk$"
    | table host* 
    | eval hostny = if(match(hostny,"!none!"), null(), hostny) 
    | eval hostuk = if(match(hostuk,"!none!"), null(), hostuk) 
    | eval hosthk = if(match(hosthk,"!none!"), null(), hosthk) 
    | stats values(*) as * 
    | transpose 
    | rename "row 1" as host 
    | makemv host delim=";" 
    | stats values(host) as Host
] 
| timechart min(Value) by Host limit=0
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...