Dashboards & Visualizations

Dynamic Dropdown Using Timepicker

IRHM73
Motivator

Hi, I wonder whether someone could help me please.

I'm trying to create a dynamic drop down where the values of the 'user' drop down menu will be dependent on the time range selected.

This is the code I've put together:

<form>
  <label>Analysis of Splunk users activity</label>
  <fieldset submitButton="false">
    <input searchWhenChanged="true" token="timerange" type="time">
      <label>Time range:</label>
      <default>
        <earliest>@d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="user">
      <label>field1</label>
      <search>
        <query>(index=_audit action=search) OR (index=_internal) between $timerange.earliest$ and $timerange.latest$
| dedup user
| stats count by user
| fields user
| sort +user</query>
      </search>
      <fieldForLabel>user</fieldForLabel>
      <fieldForValue>user</fieldForValue>
      <choice value="*">All</choice>
    </input>
  </fieldset>
</form>

But I can't get the drop down menu to populate with the correct users.

I just wondered whether someone could look at this please and offer some guidance on how I may go about achieving this and where I've gone wrong?

Many thanks and kind regards

Chris

1 Solution

niketn
Legend

Only way to include global time picker tokens in Inputs like dropdown would be to use earliest and latest in the base query itself earliest=$timerange.earliest$ latest=$timerange.latest$. Input controls will not allow you to define <earliest> and <latest> nodes for time picker token selection.

Also if you are using dedup on user, you don't need to add stats again (both will perform the same task so you can finally use table user command).

      <input type="dropdown" token="user">
        <label>Select User</label>
       <search>
         <query>(index=_audit action=search) OR (index=_internal) earliest=$timerange.earliest$ latest=$timerange.latest$
 | dedup user
 | sort user
 | table user</query>
       </search>
       </search>
       <fieldForLabel>user</fieldForLabel>
       <fieldForValue>user</fieldForValue>
       <choice value="*">All</choice>
     </input>
   </fieldset>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

Only way to include global time picker tokens in Inputs like dropdown would be to use earliest and latest in the base query itself earliest=$timerange.earliest$ latest=$timerange.latest$. Input controls will not allow you to define <earliest> and <latest> nodes for time picker token selection.

Also if you are using dedup on user, you don't need to add stats again (both will perform the same task so you can finally use table user command).

      <input type="dropdown" token="user">
        <label>Select User</label>
       <search>
         <query>(index=_audit action=search) OR (index=_internal) earliest=$timerange.earliest$ latest=$timerange.latest$
 | dedup user
 | sort user
 | table user</query>
       </search>
       </search>
       <fieldForLabel>user</fieldForLabel>
       <fieldForValue>user</fieldForValue>
       <choice value="*">All</choice>
     </input>
   </fieldset>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Ashwini008
Builder

@niketn I am using customized global time picker. I am pulling data from DB and I need to pass these tokens of global time picker in my DB query to pull the data according to selected presets.

Global time picker consists of :24HRS,LAST7DAYS,LAST30DAYS,BETWEEN,SINCE.

<input type="time" id="date" token="lowerdate" searchWhenChanged="true">
        <label>Date</label>
        <default>
          <earliest></earliest>
          <latest></latest>
        </default>
      </input>

dbxquery connection=AXI_WER query="select * from SPLUNK.TOOL_TABLE" shortnames=t|eval DATE= strftime(strptime(DATE,"%Y%m%d"),"%m/%d/%Y %H:%M:%S") |eval DATE= strptime(DATE,"%m/%d/%Y %H:%M:%S") |search DATE&gt;=$lowerdate.earliest$ AND DATE&lt;=$lowerdate.latest$ |table SYSTEM

P.S. Format of DB DATE FIELD-YYYYMMDD (20200929)

In highlighted part I am able to pass BETWEEN SINCE presets and it works fine. could you please suggest me how to pass other tokens in the query i.e.24hrs,last7days,last30days.

I have reached dead end with my options, so any help would be great!

Thank you.

 

0 Karma

niketn
Legend

@Ashwini008 refer to another answer by me with couple of workarounds to set the required tokens based on time input selection. One of the uses input change event handler and other one which is more dynamic uses an independent search: https://community.splunk.com/t5/Archive/Running-one-of-two-searches-based-on-time-picker-selection/t...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

IRHM73
Motivator

Hi @niketnilay, thank you for taking the time to reply. The solution works great.

Many thanks and kind regards

Chris

0 Karma

niketn
Legend

Anytime Chris... Glad it worked! 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

aholzel
Communicator

you should add the time range below the search between earliest and latest brackets ( just like the timerange input):

<form>
   <label>Analysis of Splunk users activity</label>
   <fieldset submitButton="false">
     <input searchWhenChanged="true" token="timerange" type="time">
       <label>Time range:</label>
       <default>
         <earliest>@d</earliest>
         <latest>now</latest>
       </default>
     </input>
     <input type="dropdown" token="user">
       <label>field1</label>
       <search>
         <query>(index=_audit action=search) OR (index=_internal)
 | dedup user
 | stats count by user
 | fields user
 | sort +user</query>
       </search>
         <earliest>$timerange.earliest$</earliest>
         <latest>$timerange.latest$</latest>
       <fieldForLabel>user</fieldForLabel>
       <fieldForValue>user</fieldForValue>
       <choice value="*">All</choice>
     </input>
   </fieldset>
 </form>

IRHM73
Motivator

Hi @aholzel, thank you for taking the time to reply. Unfortunately it didn't quite work as expected, but as you can see I was able to achieve the expected results from the solution provided by @niketnilay.

Many thanks and kind regards

Chris

0 Karma

svenfurrer
New Member

Hi @aholzel
If you include the and tags within the your solution works for me and prevents the search from failling when you choose "All time" in the time picker.
Thanks
Sven

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...