Splunk Dev

Why doesn't the pulldown work the first time I select a value (with a trivial Example!)?

ifeldshteyn
Communicator

Hello,

I have a really simple dashboard with a single pulldown. I notice that it never seems to take effect the first time I select a value — only the second time.

Here is the code with a base search and a simple table panel over the past hour. If I load this in Splunk (6.5.2) and run it, I will see the dropdown populated. If I choose one source type, it will immediately update the pulldown options but NOT update the table results. If I reset and chose another source type, it then takes effect. Hypothesis: this is because of a base search and filtering search for the dropdowns? I'd like for it to work the first time without requiring a Submit button. Note: I tried setting the option searchWhenChanged - but it didn't help. (searchWhenChanged="true")

<form>
  <label>test</label>
  <search id="base">
    <query>index =_internal earliest=-1h| fields sourcetype</query>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="sourcetype">
      <label>Sourcetypes</label>
      <choice value="*">All SourceTypes</choice>
      <default>*</default>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search base="base">
        <query>search sourcetype="*$sourcetype$*" | dedup sourcetype | sort sourcetype</query>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search base="base">
          <query>search sourcetype="*$sourcetype$*" | head </query>
        </search>
      </table>
    </panel>
  </row>
</form>
Tags (1)
0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Hi @ifeldshteyn

I just tested this dashboard in my 7.1 Splunk instance and it works perfect - it always updates the raw results and the table. However I do find it unusal that you are using a token to update the search of the input that sets the token.

I made a few minor updates to your dashboard that you could try:

<form>
   <label>test</label>
   <search id="base">
     <!-- You should specify all fields that you plan to use later -->
     <query>index =_internal earliest=-1h| fields sourcetype _raw _time</query>
   </search>
   <fieldset submitButton="false">
     <input type="dropdown" token="sourcetype">
       <label>Sourcetypes</label>
       <choice value="*">All SourceTypes</choice>
       <default>*</default>
       <fieldForLabel>sourcetype</fieldForLabel>
       <fieldForValue>sourcetype</fieldForValue>
       <search base="base">
         <!-- Remove filter on sourcetype -->
         <query>dedup sourcetype | sort sourcetype</query>
       </search>
     </input>
   </fieldset>
   <row>
     <panel>
       <table>
         <search base="base">
           <!-- Use the $|s$ quoting when using tokens -->
           <query>search sourcetype=$sourcetype|s$ | head </query>
         </search>
       </table>
     </panel>
   </row>
 </form>
0 Karma

ifeldshteyn
Communicator

Hi, I know I can get this to work, but then, if I add additional pulldowns, they are not filtered. Here is an example with additional pulldown of Source. If I filter a sourcetype, the source pulldown is not filtered and vice versa. In effect, I want, upon a pulldown selection to fillter the options in other pulldowns AND the downstream data. And I can get it to work only if I select something twice, or use a submit button which I was hoping to avoid.

<input type="dropdown" token="sourcetype" searchWhenChanged="true">
  <label>Sourcetypes</label>
  <choice value="*">All SourceTypes</choice>
  <default>*</default>
  <fieldForLabel>sourcetype</fieldForLabel>
  <fieldForValue>sourcetype</fieldForValue>
  <search base="base">
    <query>dedup sourcetype | sort sourcetype</query>
  </search>
</input>
    <input type="dropdown" token="source" searchWhenChanged="true">
  <label>Sourcetypes</label>
  <choice value="*">All Source</choice>
  <default>*</default>
  <fieldForLabel>source</fieldForLabel>
  <fieldForValue>source</fieldForValue>
  <search base="base">
    <query>dedup source | sort source</query>
  </search>
</input>


<panel>
  <table>
    <search base="base">
      <query>search sourcetype="*$sourcetype$*" source = "*$source$*"| head</query>
    </search>
  </table>
</panel>
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...