Hi Folks,
I'm developing an interactive dashboard which reads a large CSV file with several fields.
The dashboard has an Input for each field to allow users to filter results. Several of the Inputs are text boxes.
The default value for these text inputs is "All", with the intention that 'All' results for that field are returned until 'All' is overtyped with a value to filter that field on.
The following code example for the 'Application' text input works fine when "All" is overtyped, returning all rows that match the string passed from the dashboard through $appToken$ . . .but if it is left as the default of "All", no results are found:
| where if($appToken$="All",like(Application,"%"),like(Application,"%$appToken$%"))
I've tried several combinations of like, match, quotes, * and %, and can't get anything to work.
The following code works through search, returning all rows, so I'm not sure why it doesn't work in the source of my dashboard?
| where like(Application,"%")
Any help would be greatly appreciated.
Thanks,
Doug.
Do it like this:
...
<fieldset autoRun="false" submitButton="true">
<input type="dropdown" token="Application_Token" searchWhenChanged="false">
<label>Select an Application:</label>
<prefix>Application="</prefix>
<suffix>"</suffix>
<choice value="*">All</choice>
<fieldForLabel>label</fieldForLabel>
<fieldForValue>value</fieldForValue>
<search>
<query>| inputlookup YourLookupHere.csv | rename YourFieldHere AS label | eval value = label</query>
<earliest>-1s</earliest>
<latest>now</latest>
</search>
...
Then, in your search, just do like this:
index=YouShouldAlwaysSpecifyAnIndex sourcetype=AndSourcdetypeToo $Application_Token$
Do it like this:
...
<fieldset autoRun="false" submitButton="true">
<input type="dropdown" token="Application_Token" searchWhenChanged="false">
<label>Select an Application:</label>
<prefix>Application="</prefix>
<suffix>"</suffix>
<choice value="*">All</choice>
<fieldForLabel>label</fieldForLabel>
<fieldForValue>value</fieldForValue>
<search>
<query>| inputlookup YourLookupHere.csv | rename YourFieldHere AS label | eval value = label</query>
<earliest>-1s</earliest>
<latest>now</latest>
</search>
...
Then, in your search, just do like this:
index=YouShouldAlwaysSpecifyAnIndex sourcetype=AndSourcdetypeToo $Application_Token$
Wow! . . . That is so cool the way it populates the dropdown.
After a bit of experimenting, I got it working with the code below.
Thanks for all your help - really appreciated!
<input type="dropdown" token="appToken" searchWhenChanged="true">
<label>Application</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>Application</fieldForLabel>
<fieldForValue>Application</fieldForValue>
<search>
<query>
| inputlookup alerts_CTM_all_added_fields.csv
| stats count by Application
</query>
<earliest>-4h@m</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>
| inputlookup alerts_CTM_all_added_fields.csv
| search Application="$appToken$"
| table Time Nodeid Application Memname Message Support
</query>
</search>
Try this:
... | where like(Application, if($appToken$="All", "%", "%$appToken$%"))
But this is completely the wrong way to do it. The correct way is to use both value
and label
and set the value
for the label All
to be *
. You will populate your list like this:
| inputlookup YourLookupHere.csv | rename YourFieldHere AS label | eval value = label | append [|makeresults | eval value = "All", label = "*" ] | table label value
Check out the Dashboard Examples
app for this approach.
Thanks woodcock.
I tried installing the dashboard examples app, but Splunk here at work is locked down and I don't have access.
I dug out my private sandbox to try and install it, but my sandbox has long since expired.
I tried your first example, but got the same result as my initial code - no rows were displayed.
I then browsed through the online Splunk documentation on tokens, and under token filters, noticed $token_name|s$
which seemed promising.
I tried this with your code and with my original code, and it seems to work for both - returned all rows when I entered 'All' through the dashboard, and returned just the rows containing the string when I overtyped 'All' with a string:
| where like(Application, if($appToken|s$="All", "%", "%$appToken$%"))
| where if($appToken|s$="All",like(Application,"%"),like(Application,"%$appToken$%"))
However, I've been self taught so far - stitching together code I've googled - so I might well being doing things the wrong way.
Therefore I'll persevere with trying to understand how value
and label
work and trying out your second example - it would be good to put 'best practice' in place.
Thanks for your help.
See my other answer for full XML.
When the default selection of "All" is used, what is the value of $appToken$. If it's "All" or *
, then like(Application,"%$appToken$%")
is looking for Application values containing "All" or "*". If you can get the default setting to map to "" (empty string) or %
then the code should work.
The second where
clause works because the single wildcard matches all values.
Thanks richgalloway, although I am still a little confused, so I did a couple of tests . . .
When I enter Test in the dashboard, I can see that $appToken$ is set to Test and only rows that have an Application with Test in their names are displayed in the dashboard, so the second clause like(Application,"%$appToken$%")
is working successfully.
I then changed the code to | where if($appToken$="Test"
in attempt to trigger the first clause to show all Applications:
| where if($appToken$="Test",like(Application,"%"),like(Application,"%$appToken$%"))
However, I got the same result as the first test (only Applications with Test in their names showing in the dashboard), so the second clause was still triggering.
Therefore, it must be the first part of the IF statement that is not working . . . for some reason | where if($appToken$="Test"
is not matching the input from the dashboard, even though I can see that $appToken$ is set to Test?