Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a dropdown search on columns of data which aren't indexed and a text box for keyword searches?

sjanwity
Communicator
‎10-16-2014 10:14 AM

I have splunk's dbconnect app return me some columns, let's say they're they sample below:

 Table Customers-History:

 TIMESTAMP            | OPERATION | Customer ID | Customer Name | Customer Address
 1-Dec-2010 09:52:1232| INSERT     | 002        | Kyle A          | 10 Gammon Road
 2-Dec-2010 09:54:9500| DELETE     | 002         | Kyle A         | 10 Gammon Road
 2-Dec-2010 09:54:9900| INSERT     | 002         | Kyle A        | 16 Gammon Road
 2-Dec-2010 09:55:9921| DELETE     | 003         | Josh C        | 21 Drury Lane

I want to create a dropdown box where the user selects the column they want to search in (i.e. timestamp, operation, customer id, customer name, customer address) and then a text box where the user enters the keyword for the search

I've followed the splunk tutorial on this at http://docs.splunk.com/Documentation/Splunk/6.1.4/Viz/Buildandeditforms#Static_and_dynamic_inputs_to... but they assume that my columns are labelled as sourcetype when my columns are actually just columns returned from the dbconnect app. How can I work around this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-16-2014 01:44 PM

You probably don't want to set a dynamic input for this. I would do this in Simple XML

<fieldset>
     <input type="dropdown" token="searchColumn">
         <label>Select a column to search</label>
         <choice value="OPERATION">Operation</choice>
         <choice value="CustomerID">Customer ID</choice>
         <choice value="CustomerName">Customer Name</choice>
         <choice value="CustomerAddr">Customer Address</choice>
     </input>
  <input type="text" token="searchText">
    <label>Enter the value of the field</label>
  </input>
 </fieldset>
...
  <searchTemplate>
    yoursearchherewith $searchColumn$="$searchText$"
  </searchTemplate>

If you really want to dynamically generate the list of field names in the drop down, you can do this

     <input type="dropdown" token="searchColumn">
         <label>Select a column to search</label>
        <populatingSearch fieldForValue="fieldName" fieldForLabel="fieldName">
              <![CDATA[yourDBconnectsearchhere | fieldsummary maxvals=1 | rename field as fieldName | fields fieldName]>
       </populatingSearch>
     </input>

Everything else stays the same.

View solution in original post

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-16-2014 01:45 PM

So... you're running a dbquery whenever the user makes an input?

I see two options. Either modify the SQL being run like so:

| dbquery some_database "select * from foo where $column$ = '$value$'"

Or have Splunk filter the results like so:

| dbquery some_database "select * from foo" | search $column$ = "$value$"

In both cases $column$ is the token for the selected column and $value$ is the value entered into the text box.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-17-2014 02:46 AM

Combine Lisa's UI-minded answer with my search-minded answer.

0 Karma
Reply
Solved! Jump to solution

sjanwity
Communicator
‎10-17-2014 02:10 AM

not quite what I was looking for...I want a dropdown box for the user to select what column he wants to search on.

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-16-2014 01:44 PM

You probably don't want to set a dynamic input for this. I would do this in Simple XML

<fieldset>
     <input type="dropdown" token="searchColumn">
         <label>Select a column to search</label>
         <choice value="OPERATION">Operation</choice>
         <choice value="CustomerID">Customer ID</choice>
         <choice value="CustomerName">Customer Name</choice>
         <choice value="CustomerAddr">Customer Address</choice>
     </input>
  <input type="text" token="searchText">
    <label>Enter the value of the field</label>
  </input>
 </fieldset>
...
  <searchTemplate>
    yoursearchherewith $searchColumn$="$searchText$"
  </searchTemplate>

If you really want to dynamically generate the list of field names in the drop down, you can do this

     <input type="dropdown" token="searchColumn">
         <label>Select a column to search</label>
        <populatingSearch fieldForValue="fieldName" fieldForLabel="fieldName">
              <![CDATA[yourDBconnectsearchhere | fieldsummary maxvals=1 | rename field as fieldName | fields fieldName]>
       </populatingSearch>
     </input>

Everything else stays the same.

Reply
Solved! Jump to solution

lguinn2
Legend
‎10-17-2014 02:30 PM

Yes, this will work with a time range picker. To explicitly add a timerange picker in Simple XML:

  <input type="time" token="time_tok" searchWhenChanged="true">
      <label>Select time range</label>
      <default>
        <earliestTime>-7d@h</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>

The above input goes into your fieldset tag along with the other information. Note that this example sets the timerange picker to "Last 7 days" as a default, but you can change that, of course.

You can use the resulting time selection in both the populating search and the actual search that creates the report. For example:

<populatingSearch fieldForValue="fieldName" fieldForLabel="fieldName">
    <![CDATA[yourDBconnectsearchhere earliest=$time_tok.earliest$ latest=$time_tok.latest$
              | fieldsummary maxvals=1 | rename field as fieldName | fields fieldName]>
</populatingSearch>

And

  <chart>
        <title>Source type count for last 7 days</title>
        <searchString>
         youractualsearchhere
        </searchString>
        <earliestTime>$time_tok.earliest$</earliestTime>
        <latestTime>$time_tok.latest$</latestTime>
        ...
</chart>
0 Karma
Reply
Solved! Jump to solution

sjanwity
Communicator
‎10-17-2014 02:09 AM

By 'yourDBconnectsearchhere' you mean my query, right? Because the query is quite long and goes through quite a few splunk processes! Will this also work with a time range picker?

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...