Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Create drop-down list using response of search

mb_30
New Member
‎07-16-2019 04:30 AM

hi, I am trying to populate my drop-down list with a search result of a minute.
My main search is : version error* | table date_year,date_month,date_mday,date_minute,date_second ,version,host,error,source | mvexpand error| rename date_year as year| sort day,minute,second |fillnull value="not defined" year,version,error*
i am retriving the minutes by using - | stats count by date_minute
the search retuns table data but no data returned in the drop down list

I try to attache xml but there is some issues in the editor so i converted to json

{
"form": {
"label": "Dashboard test",
"search": {
"query": "version* error* | table date_year,date_month,date_mday,date_minute,date_second ,version,host,error,source | mvexpand error| rename date_year as year| sort day,minute,second |fillnull value=\"not defined\" year,version,error",
"id": "base_search"
},
"fieldset": {
"input": {
"search": {
"query": "| stats count by date_minute",
"_base": "base_search"
},
"fieldForLabel": "date_minute",
"fieldForValue": "date_minute",
"_type": "dropdown",
"_token": "date_minute",
"_searchWhenChanged": "true"
},
"_submitButton": "false"
},
"row": {
"panel": {
"table": {
"title": "Minute",
"search": {
"query": "version error* | table date_year,date_month,date_mday,date_minute,date_second ,version,host,error,source | mvexpand error| rename date_year as year| sort day,minute,second |fillnull value=\"not defined\" year,version,error| stats count by date_minute",
"earliest": "0",
"latest": ""
},
"option": [
{
"_name": "wrap",
"text": "true"
},
{
"_name": "rowNumbers",
"text": "false"
},
{
"_name": "drilldown",
"text": "cell"
},
{
"_name": "dataOverlayMode",
"text": "none"
},
{
"_name": "count",
"_text": "10"
}
]
}
}
}
}
}

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

mb_30
New Member
‎07-17-2019 06:57 AM

alt text

Preview file
1 KB
0 Karma
Reply

Sfry1981
Communicator
‎07-17-2019 06:32 AM

can you post another screenshot of it as it should help me see what you need to do next

0 Karma
Reply

mb_30
New Member
‎07-17-2019 06:57 AM

hi, I am uploading the additional screenshot by using the post answer window, in the response window not allowing to post screenshots 😞

0 Karma
Reply

mb_30
New Member
‎07-17-2019 07:06 AM

hi just please note in this video tutorial https://www.youtube.com/watch?v=cdWXKBzPZ78 used base search that probably does so inheritance I tried to follow the same flow but it was unsuccessfully.

0 Karma
Reply

Sfry1981
Communicator
‎07-16-2019 06:36 AM

Hi @mb_30

Looks like you havent used the search token to be defined against anything. I think even though your token name is date_minute it doesnt understand its that specific data set to pull through. You would need to define this in the dropdown

If you open the dashboard in edit mode and try adding the below into your source data (hopefully this should be close based on the version of splunk you are using)

 <input type="dropdown" token="date_minute" searchWhenChanged="true">
      <label>Dashboard Test</label>
      <choice value="*">ALL</choice>
      <prefix>date_minute="</prefix>
      <suffix>"</suffix>
      <fieldForLabel>date_minute</fieldForLabel>
      <fieldForValue>date_minute</fieldForValue>
      <search>
        <query>version error* | table date_year,date_month,date_mday,date_minute,date_second ,version,host,error,source | mvexpand error| rename date_year as year| sort day,minute,second |fillnull value=\"not defined\" year,version,error | table date_minute</query>
        <earliest>@m</earliest>
        <latest>now</latest>
      </search>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
0 Karma
Reply

mb_30
New Member
‎07-17-2019 06:30 AM

alt text

Preview file
1 KB
0 Karma
Reply

mb_30
New Member
‎07-17-2019 02:05 AM

alt text

Preview file
1 KB
0 Karma
Reply

Sfry1981
Communicator
‎07-17-2019 02:48 AM

if its not matching then it must be picking up a different search.

Can you provide the search string for the table it relates to called error table?

0 Karma
Reply

mb_30
New Member
‎07-17-2019 03:05 AM

hi,

this search I use in the drop-list:
version error* | table date_year,date_month,date_mday,date_minute,date_second ,version,host,error,source | mvexpand error| rename date_year as year , date_month as month ,date_mday as day ,date_hour as hour,date_minute as minute ,date_second as second| sort day,minute,second |fillnull value=\"not_defined\" year,version,error | stats count by minute

and this one i use in the statistic table:
version error* | table date_year,date_month,date_mday,date_hour,date_minute,date_second ,version,host,error,source | rename date_year as year , date_month as month ,date_mday as day ,date_hour as hour,date_minute as minute ,date_second as second| sort year ,day,hour,minute,second |fillnull value="not defined" year,version,error

the time range is 24 hours for all of my searches

0 Karma
Reply

Sfry1981
Communicator
‎07-17-2019 06:02 AM

You need to make sure both searches correlate with each other so its pulling through exactly the same minutes as the other. Try the below in the dropdown search and this should produce the matching minutes that you see in your statistic table as long as the timeframe in the dropdown is the same or greater than the statistics table. 

version error* | table date_year,date_month,date_mday,date_hour,date_minute,date_second ,version,host,error,source | rename date_year as year , date_month as month ,date_mday as day ,date_hour as hour,date_minute as minute ,date_second as second| sort year ,day,hour,minute,second |fillnull value="not defined" year,version,error | stats count by minute

I would actually recommend you increase your timeframe in your dropdown list just so it pulls through as as much info as possible as then if you create other statistic tables that has a arger date range you could use it for that also.

Let me know if this works

0 Karma
Reply

mb_30
New Member
‎07-17-2019 06:13 AM

hi,
it's working but I need to see in the static table all the data if I use the same search I only see the count of the minute.

I based my search on this tutorial: https://www.youtube.com/watch?v=cdWXKBzPZ78
my final goal is to use the same options that were presented in this tutorial.

0 Karma
Reply

Sfry1981
Communicator
‎07-17-2019 06:20 AM

I had a quick look at the video and can see ohw he has attached all the dropdowns to the charts so it looks like your practically there

When you say you only see the count of the minute, do you mean all other data disappears in the statistics table and only shows the count of the minute?

0 Karma
Reply

mb_30
New Member
‎07-17-2019 06:30 AM

Exactly -->"do you mean all other data disappears in the statistics table and only shows the count of the minute? "

0 Karma
Reply

mb_30
New Member
‎07-17-2019 01:34 AM

alt text

Preview file
1 KB
0 Karma
Reply

mb_30
New Member
‎07-16-2019 06:48 AM

it didn't help, please advise
attaching a screenshot of the result.

As you see in the screenshot I have a table that returns minutes Ialt text need to get these minutes to the dropdown list, then selection of minutes should influence the table in the screenshot.

Preview file
1 KB
0 Karma
Reply

Sfry1981
Communicator
‎07-16-2019 07:46 AM

If you use the search string in the token options do any search results come back?

You could try one of the below if it doesnt and use this as the search string

version error* | table date_year,date_month,date_mday,date_minute,date_second ,version,host,error,source | mvexpand error| rename date_year as year| sort day,minute,second |fillnull value=\"not defined\" year,version,error | stats count by date_minute

or try this

version error* | table date_year,date_month,date_mday,date_minute,date_second ,version,host,error,source | mvexpand error| rename date_year as year| sort day,minute,second |fillnull value=\"not defined\" year,version,error | stats count by minute

If you could post the source code for that token to have a look as well to see what has changed

0 Karma
Reply

mb_30
New Member
‎07-17-2019 01:32 AM

hi, thanks I added the search to the drop-down list and it worked but the result of the drop-down list does not match to the result of the statistic table.

0 Karma
Reply

Sfry1981
Communicator
‎07-17-2019 02:43 AM

Just had another thought. It may be to do with the time frame is not set far enough back.

when you go into edit mode and click on the pencil to edit the dropdown. Underneath the search string is the time field. Make sure this is set far enough back so it can pick up all the minutes that have been available in the past so you can use it to parse into your search.

Maybe use the default range of 'year to date' so it picks up everything this year

0 Karma
Reply

Sfry1981
Communicator
‎07-17-2019 01:36 AM

Hi @mb_30

Can you provide a screenshot so i can have a look further?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...