All Apps and Add-ons

Search based on drop down selection

Sriram
Communicator

I have 2 drop down (basically nested pulldown modules) and search based on the drop down selected drop down values.

Here is the sample :

<module name="Search" layoutPanel="panel_row2_col1_grp1">
  <param name="search">index=costcentersummary source=list_costcenters | dedup costCenter | sort costCenter</param>
  <module name="Pulldown">
    <param name="name">costCenter</param>
    <param name="label">Cost Center:</param>
    <param name="template">$name$="$value$"</param>
    <param name="searchFieldsToDisplay">
      <list>
        <param name="label">costCenter</param>
        <param name="value">costCenter</param>
      </list>
    </param>
    <param name="staticFieldsToDisplay">
      <list>
        <param name="value">Select</param>
        <param name="label">Select</param>
      </list>
      <list>
        <param name="value">*</param>
        <param name="label">All Cost Centers</param>
      </list>
    </param>
    <module name="Search">
      <param name="search">index=costcentersummary source=list_costcenters |search $costCenter$ | dedup displayName | sort displayName</param>
      <module name="HTML" layoutPanel="panel_row4_col1">
        <param name="html">
          <![CDATA[<font size="1" color="purple"><b><u>Search String is:</u> <i>$search$</i></b></font>]]>
        </param>
      </module>
      <module name="Pulldown">
        <param name="name">userName</param>
        <param name="label">Employee:</param>
        <param name="template">$name$="$value$"</param>
        <param name="staticFieldsToDisplay">
          <list>
            <param name="value">Select</param>
            <param name="label">Select</param>
          </list>
          <list>
            <param name="value">*</param>
            <param name="label">All Employees</param>
          </list>
        </param>
        <param name="searchFieldsToDisplay">
          <list>
            <param name="label">displayName</param>
            <param name="value">displayName</param>
          </list>
        </param>
......

If "All Cost centers" and "All Employees" values are chosen, my search query will be like this. Which works fine btw.
Search String is: index=statsindex sourcetype=statssource userName="*"

However if "a specific cost center" and "All Employees" values are chosen, I am not able to feed in the list of users for the cost center. What is the best way to build a list of userName predicates and construct the query. something like this. Appreciate any inputs.

Get the user list : index=costcentersummary source=list_costcenters |search costCenter="000633" | dedup displayName | sort displayName

index=statsindex sourcetype=statssource userName in ("List of displayName from the above query")

0 Karma

Sriram
Communicator

Found a way using subsearch.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...