topic Re: What is the query to update table of a panel with values chosen from a dropdown? in Splunk Search

What is the query to update table of a panel with values chosen from a dropdown?

surekhasplunk — Tue, 29 Sep 2020 18:07:08 GMT

I have a drop-down to choose values of quarter.

<label>Choose Quarter</label>
  <choice value="Q">Quarter</choice>
  <choice value="Q1">Q1</choice>
  <choice value="Q2">Q2</choice>
  <choice value="Q3">Q3</choice>
  <choice value="Q4">Q4</choice>

Now if I choose Q2 one of my panels should get populated with all those values from abc.csv file where "Cuorse_Name"=H1
and if I choose Q4 then the same panel should get populated with values from the same abc.csv file where "Cuorse_Name"=H2

Please help with the query

Re: What is the query to update table of a panel with values chosen from a dropdown?

gcusello — Wed, 14 Feb 2018 11:56:29 GMT

Hi surekhasplunk,
this is an example for your needs

<form>
  <label>test1</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="log_level">
      <label>log_level</label>
      <choice value="*">All</choice>
      <choice value="INFO">INFO</choice>
      <choice value="DEBUG">DEBUG</choice>
      <choice value="ERROR">ERROR</choice>
      <choice value="WARN">WARN</choice>
      <choice value="WARNING">WARNING</choice>
      <prefix>log_level=</prefix>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index=_internal $log_level$</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="list.drilldown">none</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</form>

In few words, in the dropdown you have to insert the values to search, in the prefix tag the field name and in the search the tag using $.

Bye.
Giuseppe

Re: What is the query to update table of a panel with values chosen from a dropdown?

surekhasplunk — Wed, 14 Feb 2018 12:14:02 GMT

Hi @cusello,

My dropdown works well for populating other tables in the dashboard where there is a column with value Q1 etc.
Its problem only when the file doesn't have that data.
so we have to manipulate Q1=H1 Q2=H2 Q3=H3 etc.

|inputlookup abc.csv |eval dp=case('$quarter$'=="Q1","H1", '$quarter$'=="Q2","H2",1=1,0)|search "Course_name"='$dp$' | chart count as field2 over field3 by field4

currently i am trying to use this query but not getting proper results $dp$ is not getting the value from case statement.
Pls help

Re: What is the query to update table of a panel with values chosen from a dropdown?

kamlesh_vaghela — Wed, 14 Feb 2018 12:29:01 GMT

Hi @surekhasplunk,

Can you please try this?

| inputlookup abc.csv 
| eval selected="$quarter$"
| eval dp=case(selected=="Q1","H1", selected=="Q2","H2",1=1,0) 
| search "Course_name"=dp 
| chart count as field2 over field3 by field4

Re: What is the query to update table of a panel with values chosen from a dropdown?

gcusello — Tue, 29 Sep 2020 18:03:34 GMT

Let me understand:
Do you have a column called Cuorse_Name where sometimes there are values Q1, Q2, ... and sometimes H1, H2, ... but the column name is always the same
or do you have values Q1, Q2, in a column (e.g. Cuorse_Name1) and H1, H2 in another column (e,g, Cuorse_Name2),
which one?

In the first case you can use eval command

| eval Cuorse_Name=case(Cuorse_Name="H1","Q1",Cuorse_Name="H2","Q2",...)

in the second one, you have to use the same eval command and a coalesce function

| eval Cuorse_Name=coalesce(Cuorse_Name1,Cuorse_Name2)
| eval Cuorse_Name=case(Cuorse_Name="H1","Q1",Cuorse_Name="H2","Q2",...)

Bye.
Giuseppe

Re: What is the query to update table of a panel with values chosen from a dropdown?

surekhasplunk — Wed, 14 Feb 2018 12:48:57 GMT

Hi @cusello,

From Dropdown i can select Q1 or Q2 or Q3 or Q4

In my csv file i have a field called "Course Name" which have values like "H1 2017" "H2 2017" etc.
So if i choose Q1 i should search for "Course Name"=H1 and show rest of the items from the csv file.

Thanks

Re: What is the query to update table of a panel with values chosen from a dropdown?

surekhasplunk — Wed, 14 Feb 2018 12:54:10 GMT

Hi @kamlesh_vagela,

I tried your way but i read somewhere eval creates fields and not variables/tokens
So here selected and dp two fields are getting created but the command search "Course_name"=dp is not working as expected to match the values of the fields.
Though both have got same values its not returning anyting.

Re: What is the query to update table of a panel with values chosen from a dropdown?

surekhasplunk — Wed, 14 Feb 2018 13:06:11 GMT

Hi @kamlesh_vagela and @cusello

I had to tweak the query to add a where clause instead of search | where 'Course_name' == dp
and == for field comparison and now its working as expected.

But when for the condition where i have to get all rows am not getting that
I added selected=All and tried to assign * to it which is not returning any result.

| eval dp=case(selected=="Q1","H1 2017", selected=="Q2","H2 2017", selected=="All","*",1=1,0)

Re: What is the query to update table of a panel with values chosen from a dropdown?

gcusello — Wed, 14 Feb 2018 13:17:47 GMT

Hi @surekhasplunk,
put an asterisk in the value

<choice value="Course_Name=H1*">Q1</choice>

or in the search extract the quarter value

| eval Course_Name=substr(Course_Name,1,2)

and use it for filter.
If you can, don't use spaces in field names (Course Name), if you must, use double quotes ("Course Name")

Bye.
Giuseppe

Re: What is the query to update table of a panel with values chosen from a dropdown?

gcusello — Wed, 14 Feb 2018 13:20:24 GMT

Hi @surekhasplunk,
If you're satisfied, please accept and/or upvote answer.
Bye.
Giuseppe

Re: What is the query to update table of a panel with values chosen from a dropdown?

kamlesh_vaghela — Wed, 14 Feb 2018 13:25:36 GMT

Great @surekhasplunk,

Please accept your answer and Upvote my and @cusello 's comment on previous post.

Thanks
Happy Splunking