Solved: Re: How to create a ALL option in the dropdown?

anooshac · ‎03-30-2022

Hi everyone, I am facing a problem with the drop downs. I have 2 drop downs one is a group and other one is subgroup. The first drop down has a list of the group names. In the second drop down it will show the sub groups of the groups we selected from the first one. I want to include the option "All" in the second drop down. I want to pass only the values of those sub groups of respective group selected to the queries. But if i use "*" for all it is giving all the subgroups together irrespective of the group selected. Anyone knows how to solve this?

kamlesh_vaghela · ‎04-01-2022

@anooshac

Can you please try this XML. Just make sure you replace below search in XML with you search which should have Group and Sub_Group fields with proper value .

| makeresults 
| eval _raw="Group;Sub_Group; Url; Date
A;A1;https://community.splunk.com;31-03-2022
A;A2;https://community.splunk.com;01-04-2022
B;B1;https://community.splunk.com;31-03-2022
B;B2;https://community.splunk.com;01-04-2022" 
| multikv forceheader=1 
| table Group Sub_Group

XML:

<form>
  <label>Group SubGroup</label>
  <search id="subgroup_search_for_values" base="subgroup_search">
    <query>| search Sub_Group="$tkn_subgroup$" | table Sub_Group | format</query>
    <done>
      <set token="condition_tkn">$result.search$</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="tkn_group" searchWhenChanged="true">
      <label>Group</label>
      <fieldForLabel>Group</fieldForLabel>
      <fieldForValue>Group</fieldForValue>
      <search>
        <query>| makeresults 
| eval _raw="Group;Sub_Group; Url; Date
A;A1;https://community.splunk.com;31-03-2022
A;A2;https://community.splunk.com;01-04-2022
B;B1;https://community.splunk.com;31-03-2022
B;B2;https://community.splunk.com;01-04-2022" 
| multikv forceheader=1 
| table Group Sub_Group 
| dedup Group</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <unset token="form.tkn_subgroup"></unset>
      </change>
      
    </input>
    <input type="dropdown" token="tkn_subgroup" searchWhenChanged="true">
      <label>Sub Group</label>
      <fieldForLabel>Sub_Group</fieldForLabel>
      <fieldForValue>Sub_Group</fieldForValue>
      <search id="subgroup_search">
        <query>
        | makeresults 
| eval _raw="Group;Sub_Group; Url; Date
A;A1;https://community.splunk.com;31-03-2022
A;A2;https://community.splunk.com;01-04-2022
B;B1;https://community.splunk.com;31-03-2022
B;B2;https://community.splunk.com;01-04-2022" 
| multikv forceheader=1 
| table Group Sub_Group 
| search Group="$tkn_group$"
| dedup Sub_Group</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        $condition_tkn$
      </html>
    </panel>
  </row>
</form>

Thanks
KV

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela · ‎03-30-2022

@anooshac

May be this example will help you, can you please try it?

<form>
  <label>Group SubGroup</label>
  <search id="subgroup_search_for_values" base="subgroup_search">
    <query>| search subgroup="$tkn_subgroup$" | table subgroup | format</query>
    <done>
      <set token="condition_tkn">$result.search$</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="tkn_group" searchWhenChanged="true">
      <label>Group</label>
      <fieldForLabel>group</fieldForLabel>
      <fieldForValue>group</fieldForValue>
      <search>
        <query>| makeresults count=10 
| eval a=1 
| accum a 
| eval group= if(a%2==1,"group ".a,null()) 
| filldown group 
| eval subgroup = "sub".group."_".a
| rename comment as "Upto now is for sample data only" 
| table group subgroup
| dedup group</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <unset token="form.tkn_subgroup"></unset>
      </change>
      
    </input>
    <input type="dropdown" token="tkn_subgroup" searchWhenChanged="true">
      <label>Sub Group</label>
      <fieldForLabel>subgroup</fieldForLabel>
      <fieldForValue>subgroup</fieldForValue>
      <search id="subgroup_search">
        <query>| makeresults count=10 
| eval a=1 
| accum a 
| eval group= if(a%2==1,"group ".a,null()) 
| filldown group 
| eval subgroup = "sub".group."_".a
| rename comment as "Upto now is for sample data only" | search group="$tkn_group$"
| table group subgroup
| dedup subgroup</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        $condition_tkn$
      </html>
    </panel>
  </row>
</form>

Thanks
KV

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

anooshac · ‎03-31-2022

Hi @kamlesh_vaghela , Thank you for replying.

Actually i have a source file in which group and subgroup are present. This solution you provided will automatically prepares data right? can you just help me how can i use this query for my data? My source file is csv file.

kamlesh_vaghela · ‎03-31-2022

Yes @anooshac

Please share sample data and the part of data has Group and Subgroup name, so I can help you on search design.

KV

anooshac · ‎03-31-2022

@kamlesh_vaghela,This is how the data looks like in the csv file. It has one or two lines

Group;Sub_Group; Url ; Date

A; A1; https:...; 31-03-2022

A;A2;https.....;01-04-2022

I have many files in this format.I am trying to prepare a dashboard from these data which has drilldown for both Group and subgroup. When i click on any of the group it should show "All" by default. Currently it is showing. But "All" is considered * but not all the subgroups of the particular group.

kamlesh_vaghela · ‎03-31-2022

@anooshac

Just confirming, did you get field extracted from csv file? Can you please confirm it by just executing below search ?

YOUR_SEARCH_FOR_CSV_EVENTS
| table _raw Group Sub_Group Url Date

KV

anooshac · ‎03-31-2022

@kamlesh_vaghela,

yes.I get field extracted from csv file.

kamlesh_vaghela · ‎04-01-2022

@anooshac

Can you please try this XML. Just make sure you replace below search in XML with you search which should have Group and Sub_Group fields with proper value .

| makeresults 
| eval _raw="Group;Sub_Group; Url; Date
A;A1;https://community.splunk.com;31-03-2022
A;A2;https://community.splunk.com;01-04-2022
B;B1;https://community.splunk.com;31-03-2022
B;B2;https://community.splunk.com;01-04-2022" 
| multikv forceheader=1 
| table Group Sub_Group

XML:

<form>
  <label>Group SubGroup</label>
  <search id="subgroup_search_for_values" base="subgroup_search">
    <query>| search Sub_Group="$tkn_subgroup$" | table Sub_Group | format</query>
    <done>
      <set token="condition_tkn">$result.search$</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="tkn_group" searchWhenChanged="true">
      <label>Group</label>
      <fieldForLabel>Group</fieldForLabel>
      <fieldForValue>Group</fieldForValue>
      <search>
        <query>| makeresults 
| eval _raw="Group;Sub_Group; Url; Date
A;A1;https://community.splunk.com;31-03-2022
A;A2;https://community.splunk.com;01-04-2022
B;B1;https://community.splunk.com;31-03-2022
B;B2;https://community.splunk.com;01-04-2022" 
| multikv forceheader=1 
| table Group Sub_Group 
| dedup Group</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <unset token="form.tkn_subgroup"></unset>
      </change>
      
    </input>
    <input type="dropdown" token="tkn_subgroup" searchWhenChanged="true">
      <label>Sub Group</label>
      <fieldForLabel>Sub_Group</fieldForLabel>
      <fieldForValue>Sub_Group</fieldForValue>
      <search id="subgroup_search">
        <query>
        | makeresults 
| eval _raw="Group;Sub_Group; Url; Date
A;A1;https://community.splunk.com;31-03-2022
A;A2;https://community.splunk.com;01-04-2022
B;B1;https://community.splunk.com;31-03-2022
B;B2;https://community.splunk.com;01-04-2022" 
| multikv forceheader=1 
| table Group Sub_Group 
| search Group="$tkn_group$"
| dedup Sub_Group</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        $condition_tkn$
      </html>
    </panel>
  </row>
</form>

Thanks
KV

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

anooshac · ‎04-01-2022

Thank you so much it is working.

How to create a ALL option in the dropdown?

chart

panel

token

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!