Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cascading Drop Downs

RobertRi
Communicator
‎01-26-2016 07:37 AM

Hi Community!

I'm trying to create a form search, in which the user should:

1.) Choose a time range in which he suggests the Events
2.) Select a host on which he will see the Events
3.) Select the desired Event

Here in the 3rd step, I have the Problem. The user should see a formatted timestamp (Event1_tok) for this one Event and then it should be passed into the original search, but it seems because the timestamp is formated, the search fail.
How can I pass the correct timeformat to the search, that I only get this one Event?

<form>
  <label>Review Config Changes Testing</label>
  <description>Specify TimeRange in which the events are suggested. Then define HostName and Events to compare.</description>
  <fieldset autoRun="false">

    <input type="time" token="TimeRange_tok">
      <label>Select a Time Range</label>
      <default>
        <earliestTime>-15m</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>

    <input type="dropdown" token="HostName_tok">
      <label>Select a HostName</label>
      <search>
        <query>index=xkm sourcetype=xkmconfig earliest=$TimeRange_tok.earliest$ latest=$TimeRange_tok.latest$ | stats count by host </query>
      </search>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
    </input>

        <input type="dropdown" token="Event1_tok">
      <label>Select first Event</label>
      <search>
        <query>index=xkm sourcetype=xkmconfig host=$HostName_tok$ earliest=$TimeRange_tok.earliest$ latest=$TimeRange_tok.latest$ | eval EventTime1=strftime(_time, "%d.%m.%Y %H:%M:%S") | stats count by EventTime1 </query>
      </search>
      <fieldForLabel>EventTime1</fieldForLabel>
      <fieldForValue>_time</fieldForValue>
    </input>
  </fieldset>



  <row>
    <panel>
      <event>
        <search>
          <query>index=xkm sourcetype=xkmconfig host=$HostName_tok$ earliest=$Event1_tok$ latest=$Event1_tok$ </query>
          <!--earliestTime>$ TimeRange_tok.earliest$</earliestTime>
          <latestTime>$ TimeRange_tok.latest$</latestTime-->
        </search>
      </event>
    </panel>
  </row>
</form>

Thank you for your help!
Robert

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-26-2016 09:11 AM

Replace your Event1_tok input definition with this.

  <input type="dropdown" token="Event1_tok">
       <label>Select first Event</label>
       <search>
         <query>index=xkm sourcetype=xkmconfig host=$HostName_tok$ earliest=$TimeRange_tok.earliest$ latest=$TimeRange_tok.latest$ | eval EventTime1=strftime(_time, "%d.%m.%Y %H:%M:%S") | stats count by EventTime1,_time </query>
       </search>
       <fieldForLabel>EventTime1</fieldForLabel>
       <fieldForValue>_time</fieldForValue>
     </input>
   </fieldset>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-26-2016 09:11 AM

Replace your Event1_tok input definition with this.

  <input type="dropdown" token="Event1_tok">
       <label>Select first Event</label>
       <search>
         <query>index=xkm sourcetype=xkmconfig host=$HostName_tok$ earliest=$TimeRange_tok.earliest$ latest=$TimeRange_tok.latest$ | eval EventTime1=strftime(_time, "%d.%m.%Y %H:%M:%S") | stats count by EventTime1,_time </query>
       </search>
       <fieldForLabel>EventTime1</fieldForLabel>
       <fieldForValue>_time</fieldForValue>
     </input>
   </fieldset>
0 Karma
Reply
Solved! Jump to solution

RobertRi
Communicator
‎01-26-2016 11:47 PM

Thanks,that works! Regards Robert

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...