I have the following search for a drill down from another dashboard:
MY SEARCH
|eval Status = if(isnull(REASON), "Null", REASON)
|eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S")
|stats values(MEM_NBR) as MEM_NBR, latest(Status) as Status, max(Time) as TIME by C_ID
|where Status="$tok_status$"
|sort limit=0 Time desc
The token "$tok_status$" will be coming from a dashboard click and is connected to a text box. My question is how do I show all the available "Status" if the token is blank?
I have tried:
|where Status = if(isnull("$tok_status$"), Status, "$tok_status$")
But that did not work.
I believe "$tok_status$" becomes "" when the token is not provided so the isnull function will always return false. Try
|where Status = if("$tok_status$"="", Status, "$tok_status$").
Another option is let Splunk add the quotes around the token, if it exists.
|where Status = if(isnull($tok_status|s$), Status, "$tok_status$")