Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dynamic Dropdown Using Timepicker

IRHM73
Motivator
‎04-10-2017 11:44 PM

Hi, I wonder whether someone could help me please.

I'm trying to create a dynamic drop down where the values of the 'user' drop down menu will be dependent on the time range selected.

This is the code I've put together:

<form>
  <label>Analysis of Splunk users activity</label>
  <fieldset submitButton="false">
    <input searchWhenChanged="true" token="timerange" type="time">
      <label>Time range:</label>
      <default>
        <earliest>@d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="user">
      <label>field1</label>
      <search>
        <query>(index=_audit action=search) OR (index=_internal) between $timerange.earliest$ and $timerange.latest$
| dedup user
| stats count by user
| fields user
| sort +user</query>
      </search>
      <fieldForLabel>user</fieldForLabel>
      <fieldForValue>user</fieldForValue>
      <choice value="*">All</choice>
    </input>
  </fieldset>
</form>

But I can't get the drop down menu to populate with the correct users.

I just wondered whether someone could look at this please and offer some guidance on how I may go about achieving this and where I've gone wrong?

Many thanks and kind regards

Chris

Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎04-11-2017 01:52 AM

Only way to include global time picker tokens in Inputs like dropdown would be to use earliest and latest in the base query itself earliest=$timerange.earliest$ latest=$timerange.latest$. Input controls will not allow you to define <earliest> and <latest> nodes for time picker token selection.

Also if you are using dedup on user, you don't need to add stats again (both will perform the same task so you can finally use table user command).

      <input type="dropdown" token="user">
        <label>Select User</label>
       <search>
         <query>(index=_audit action=search) OR (index=_internal) earliest=$timerange.earliest$ latest=$timerange.latest$
 | dedup user
 | sort user
 | table user</query>
       </search>
       </search>
       <fieldForLabel>user</fieldForLabel>
       <fieldForValue>user</fieldForValue>
       <choice value="*">All</choice>
     </input>
   </fieldset>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎04-11-2017 01:52 AM

Only way to include global time picker tokens in Inputs like dropdown would be to use earliest and latest in the base query itself earliest=$timerange.earliest$ latest=$timerange.latest$. Input controls will not allow you to define <earliest> and <latest> nodes for time picker token selection.

Also if you are using dedup on user, you don't need to add stats again (both will perform the same task so you can finally use table user command).

      <input type="dropdown" token="user">
        <label>Select User</label>
       <search>
         <query>(index=_audit action=search) OR (index=_internal) earliest=$timerange.earliest$ latest=$timerange.latest$
 | dedup user
 | sort user
 | table user</query>
       </search>
       </search>
       <fieldForLabel>user</fieldForLabel>
       <fieldForValue>user</fieldForValue>
       <choice value="*">All</choice>
     </input>
   </fieldset>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

Ashwini008
Builder
‎08-25-2020 12:06 AM

@niketn I am using customized global time picker. I am pulling data from DB and I need to pass these tokens of global time picker in my DB query to pull the data according to selected presets.

Global time picker consists of :24HRS,LAST7DAYS,LAST30DAYS,BETWEEN,SINCE.

<input type="time" id="date" token="lowerdate" searchWhenChanged="true">
        <label>Date</label>
        <default>
          <earliest></earliest>
          <latest></latest>
        </default>
      </input>

dbxquery connection=AXI_WER query="select * from SPLUNK.TOOL_TABLE" shortnames=t|eval DATE= strftime(strptime(DATE,"%Y%m%d"),"%m/%d/%Y %H:%M:%S") |eval DATE= strptime(DATE,"%m/%d/%Y %H:%M:%S") |search DATE&gt;=$lowerdate.earliest$ AND DATE&lt;=$lowerdate.latest$ |table SYSTEM

P.S. Format of DB DATE FIELD-YYYYMMDD (20200929)

In highlighted part I am able to pass BETWEEN SINCE presets and it works fine. could you please suggest me how to pass other tokens in the query i.e.24hrs,last7days,last30days.

I have reached dead end with my options, so any help would be great!

Thank you.

 

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-25-2020 04:25 AM

@Ashwini008 refer to another answer by me with couple of workarounds to set the required tokens based on time input selection. One of the uses input change event handler and other one which is more dynamic uses an independent search: https://community.splunk.com/t5/Archive/Running-one-of-two-searches-based-on-time-picker-selection/t...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎04-11-2017 02:54 AM

Hi @niketnilay, thank you for taking the time to reply. The solution works great.

Many thanks and kind regards

Chris

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-11-2017 04:37 AM

Anytime Chris... Glad it worked! 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

aholzel
Communicator
‎04-11-2017 01:45 AM

you should add the time range below the search between earliest and latest brackets ( just like the timerange input):

<form>
   <label>Analysis of Splunk users activity</label>
   <fieldset submitButton="false">
     <input searchWhenChanged="true" token="timerange" type="time">
       <label>Time range:</label>
       <default>
         <earliest>@d</earliest>
         <latest>now</latest>
       </default>
     </input>
     <input type="dropdown" token="user">
       <label>field1</label>
       <search>
         <query>(index=_audit action=search) OR (index=_internal)
 | dedup user
 | stats count by user
 | fields user
 | sort +user</query>
       </search>
         <earliest>$timerange.earliest$</earliest>
         <latest>$timerange.latest$</latest>
       <fieldForLabel>user</fieldForLabel>
       <fieldForValue>user</fieldForValue>
       <choice value="*">All</choice>
     </input>
   </fieldset>
 </form>
Reply
Solved! Jump to solution

IRHM73
Motivator
‎04-11-2017 02:55 AM

Hi @aholzel, thank you for taking the time to reply. Unfortunately it didn't quite work as expected, but as you can see I was able to achieve the expected results from the solution provided by @niketnilay.

Many thanks and kind regards

Chris

0 Karma
Reply
Solved! Jump to solution

svenfurrer
New Member
‎01-23-2018 01:50 PM

Hi @aholzel
If you include the and tags within the your solution works for me and prevents the search from failling when you choose "All time" in the time picker.
Thanks
Sven

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...