All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search based on drop down selection

Sriram
Communicator
‎02-29-2012 12:51 PM

I have 2 drop down (basically nested pulldown modules) and search based on the drop down selected drop down values.

Here is the sample :

<module name="Search" layoutPanel="panel_row2_col1_grp1">
  <param name="search">index=costcentersummary source=list_costcenters | dedup costCenter | sort costCenter</param>
  <module name="Pulldown">
    <param name="name">costCenter</param>
    <param name="label">Cost Center:</param>
    <param name="template">$name$="$value$"</param>
    <param name="searchFieldsToDisplay">
      <list>
        <param name="label">costCenter</param>
        <param name="value">costCenter</param>
      </list>
    </param>
    <param name="staticFieldsToDisplay">
      <list>
        <param name="value">Select</param>
        <param name="label">Select</param>
      </list>
      <list>
        <param name="value">*</param>
        <param name="label">All Cost Centers</param>
      </list>
    </param>
    <module name="Search">
      <param name="search">index=costcentersummary source=list_costcenters |search $costCenter$ | dedup displayName | sort displayName</param>
      <module name="HTML" layoutPanel="panel_row4_col1">
        <param name="html">
          <![CDATA[<font size="1" color="purple"><b><u>Search String is:</u> <i>$search$</i></b></font>]]>
        </param>
      </module>
      <module name="Pulldown">
        <param name="name">userName</param>
        <param name="label">Employee:</param>
        <param name="template">$name$="$value$"</param>
        <param name="staticFieldsToDisplay">
          <list>
            <param name="value">Select</param>
            <param name="label">Select</param>
          </list>
          <list>
            <param name="value">*</param>
            <param name="label">All Employees</param>
          </list>
        </param>
        <param name="searchFieldsToDisplay">
          <list>
            <param name="label">displayName</param>
            <param name="value">displayName</param>
          </list>
        </param>
......

If "All Cost centers" and "All Employees" values are chosen, my search query will be like this. Which works fine btw.
Search String is: index=statsindex sourcetype=statssource userName="*"

However if "a specific cost center" and "All Employees" values are chosen, I am not able to feed in the list of users for the cost center. What is the best way to build a list of userName predicates and construct the query. something like this. Appreciate any inputs.

Get the user list : index=costcentersummary source=list_costcenters |search costCenter="000633" | dedup displayName | sort displayName

index=statsindex sourcetype=statssource userName in ("List of displayName from the above query")

0 Karma
Reply

Sriram
Communicator
‎04-25-2012 02:37 PM

Found a way using subsearch.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...