Re: Select all values from downdown list

hastrike · ‎02-12-2016

I have populated drop down input list in my dashboard and I am able to select all my options but everything I have tried using "*" as the wild card doesn't appear to work. Any help on how I can get an All value to select everything in the drop down and have the panels on my dashboard select all the values.

Like I said I was able to get it to work when I just select a single value.

somesoni2 · ‎02-12-2016

Got the problem now. You're using "|where" clause for filter based on Domain. The wildcard for it is "%" not "*". So you got two option to solve your problem.

1) In dropdown, change the value for "All" option to %

replace All with All

2) In your query, replace where with search which accepts * as wildcard.

replace | where Ministry ="$Ministry$" with | searchMinistry ="$Ministry$"

somesoni2 · ‎02-12-2016

Not sure I understand the question fully here. So you don't get result in your dashboard panels if you select dropdown value as "All" ?

hastrike · ‎02-12-2016

that is correct, basically I can select a specific domain and it will query fine but if I want to select all to query all domains it doesn't do anything. Below is the code that is used for the drop down box.

somesoni2 · ‎02-12-2016

I don't see a problem with the dropdown. Could you post the panel query that is not returning results when your dropdown token is "*"?

hastrike · ‎02-12-2016

| dbquery mcafee "SELECT DISTINCT UPPER(EPOLeafNode.NodeName) AS Name, EPOLeafNode.LastUpdate AS mcafee_scantime,EPOComputerProperties.DomainName as Domain, EPOLeafNode.AgentVersion, EPOProdPropsView_VIRUSCAN.productversion AS VSEVersion, EPOProdPropsView_VIRUSCAN.enginever, EPOComputerProperties.OSType AS OS, EPOProdPropsView_VIRUSCAN.datver, RTRIM(EPOComputerProperties.userproperty1) AS McAfeeAssetTag, UPPER(EPOComputerProperties.userproperty3) as SerialNumber FROM EPOLeafNode LEFT JOIN EPOProdPropsView_SOLIDCORE ON EPOLeafNode.AutoID = EPOProdPropsView_SOLIDCORE.LeafNodeID LEFT JOIN EPOProdPropsView_EPOAGENT ON EPOLeafNode.AutoID = EPOProdPropsView_EPOAGENT.LeafNodeID LEFT JOIN EPOProdPropsView_VIRUSCAN ON EPOLeafNode.AutoID = EPOProdPropsView_VIRUSCAN.LeafNodeID LEFT JOIN EPOComputerProperties ON EPOLeafNode.AutoID = EPOComputerProperties.ParentID where EPOLeafNode.LastUpdate > DATEADD(MONTH, -1, GETDATE())" | table Name SerialNumber McAfeeAssetTag mcafee_scantime Domain OS AgentVersion VSEVersion enginever datver | eval mcafee_scantime = strftime(mcafee_scantime, "%F") | eval Datasource="Mcafee" | dedup Name | eval_ministries(Domain) | where Ministry ="$Ministry$" | stats count by AgentVersion

Like I said it works if I select the actual ministry just fine.

dgrubb_splunk · ‎02-12-2016

Try adding:

count: '-1'

to your code, so it will display all the results.

hastrike · ‎02-12-2016

Sorry I am not sure where I would put that?
Here is my code:

  <choice value="*">All</choice>
  <search>
    <query>index="lnf_snow_table_alm_hardware"  | dedup dv_company  | rename dv_company AS Domain | `eval_ministries(Domain)` | table Ministry | dedup Ministry |  sort by Ministry</query>
    <earliest>-30d@d</earliest>
    <latest>now</latest>
  </search>

Everything I seen online says to use quotes and * but I can't get it to work.

Select all values from downdown list

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio