topic Re: How to trigger search based on a dynamic dropdown input? in Splunk Search

How to trigger search based on a dynamic dropdown input?

ByteFlinger — Thu, 23 Mar 2017 20:19:39 GMT

I am trying to create a dropdown box to allow the user to select a host category (Like backend or frontend) and then I want to create another dropdown box to select a specific host.

So far I have the following

<input type="dropdown" token="product" searchWhenChanged="true">
      <label>Select category</label>
      <choice value="*">*</choice>
      <default>*</default>
      <prefix>category="</prefix>
      <suffix>"</suffix>
      <change>
        <unset token="form.host"></unset>
      </change>
      <search>
        <query>| inputlookup host_table | stats count by category</query>
      </search>
      <fieldForLabel>category</fieldForLabel>
      <fieldForValue>category</fieldForValue>
    </input>
    <input type="dropdown" token="color" searchWhenChanged="true">
      <label>Select Color</label>
      <search>
        <query>sourcetype = "somesourcetype" [| inputlookup category | search $category$ | fields host ] | stats count by host</query>
        <earliest>0</earliest>
      </search>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <default>*</default>
      <choice value="*">*</choice>
    </input>

That is followed by a graph which makes a simple search to show an event count for a specific log in that host

sourcetype="somesourcetype" host=$host$ | rex field=source max_match=40 ".*/(?<appname>.+)\.log" | timechart count by appname

So the idea here is that when the user changes a category, it will reset the host dropdown box since each category will have different hosts, setting it to * so all hosts for that category are chosen by default and shown in the graph.

This works well if the host dropdown has a specific host selected and the user changes the category however the issue I am having is if the host dropdown is *, changing the category dropdown to any value (frontend, backend or *) will not change the graphs (But will properly repopulate the host dropdown with only the hosts available for that category).

Does anybody knows why this happens and how to fix it?

Re: How to trigger search based on a dynamic dropdown input?

somesoni2 — Thu, 23 Mar 2017 21:11:34 GMT

Change your panel search like this

sourcetype="somesourcetype" [| inputlookup category | search $category$ AND  host=$host$  | fields host ]  | rex field=source max_match=40 ".*/(?<appname>.+)\.log" | timechart count by appname

When you select * , the panel search can't differentiate based on category, so need to add logic that will take both category and host dropdown value into consideration.

Re: How to trigger search based on a dynamic dropdown input?

ByteFlinger — Thu, 23 Mar 2017 21:38:57 GMT

Thank you.

I suspected this was the issue however the problem is that category is just a value in a lookup table and not something mapped to the actual host.

I am quite new to Splunk and I am not even certain yet how to go about creating such a category to host mapping (maybe the Splunk forwarder could send this information in each server?) so for now I created a simple static lookup table with the mapping between category and host.

With that lookup table the way I see to solve this would be to map the "*" value in the host dropdown to a dynamically generated query which returns a list of the hosts for that category. Something like this

(host="host1" OR host="host2")

which I could inject in the panel query however I have no idea how to go about generating such a query from a list of hosts. Any pointers?

Any feedback would be welcome.

Re: How to trigger search based on a dynamic dropdown input?

somesoni2 — Thu, 23 Mar 2017 21:49:14 GMT

It might not work very well if the number of hosts are too big. But give this a try (xml code for host dropdown, replace your current query with tstats which is more efficient for this kind of query i.e. querying based on metadata like host/source/sourcetype etc.)

   <label>Select Color</label>
   <search>
     <query>| tstats count WHERE sourcetype = "somesourcetype" [| inputlookup category | search $category$ | fields host ]  by host | table host | eval hostvalue="host=".host | appendpipe [| stats values(hostvalue) as search | format | rename search as hostvalue | eval host="*" ]</query>
     <earliest>0</earliest>
   </search>
   <fieldForLabel>host</fieldForLabel>
   <fieldForValue>hostvalue</fieldForValue>
   <default>*</default>      
 </input>

Now your panel search will become this (instead of using host=$host$, you should be using just $host$ now)

sourcetype="somesourcetype" $host$  | rex field=source max_match=40 ".*/(?<appname>.+)\.log" | timechart count by appname

Re: How to trigger search based on a dynamic dropdown input?

ByteFlinger — Thu, 23 Mar 2017 22:11:44 GMT

Whoa that was a lot more advanced than I expected 😄

I was doing some reading and found out about the format command which sounds like it could be of some use as well. I'll give it a try, thank you.

Re: How to trigger search based on a dynamic dropdown input?

ByteFlinger — Fri, 24 Mar 2017 17:30:15 GMT

So after a bit of debugging I arrived at slightly different query than your

| tstats count WHERE sourcetype = "somesourcetype" [| inputlookup category | search $category$ | fields host ]  by host | table host | eval hostvalue="host=".host | appendpipe [| table host | format | rename search as hostvalue | eval host="*" ]

Yours wraps the entire host query in quotes (("host=host1") OR ("host=host2")) instead of ((host="host1") OR (host="host2"))

So now the host dropdown returns the correct query but I am back at the original issue. Changing the category dropdown unsets the host dropdown which looks like in splunk terms it means to set it to the dropdown default value (Which I have as *) and this apparently leads to $hosts$ listing all servers

I am able to confirm by creating a graph with the following query to simply list the current hosts

sourcetype="somesourcetype" $host$ | stats count by host

Am I missing something? Does it have anything to do with the unset trigger maybe?

Re: How to trigger search based on a dynamic dropdown input?

ByteFlinger — Fri, 24 Mar 2017 18:14:48 GMT

Nope. I removed the trigger from the category dropdown and it seems that the host dropdown is still updated when I change it (Which is nice) but the graphs still do not update on category changes if the host was * before the change