How to create dropdown "all" from dynamic search r...

cclva · ‎04-26-2023

Hello,

I have a dropdown which runs a search query that returns a subset of potential results. I want to create an "ALL" value option which only applies the results of the subset from that search.

    <input type="dropdown" token="mytoken">
      <label>My Token</label>
      <choice value="*">ALL</choice>
      <initialValue>*</initialValue>
      <fieldForLabel>resultName</fieldForLabel>
      <fieldForValue>resultValue</fieldForValue>
      <search>
        <query>
          index="AnIndex" type="FilterType"
        </query>
      </search>
    </input>

This token is used in a panel as follows:

    <panel>
      <single>
        <title>Warnings</title>
        <search>
          <query>
            index="AnIndex" myToken=$mytoken$ level="warn" | stats count(message)
          </query>
        </search>
        ...
    </panel>

As it currently is, the default value for the dropdown resolves to the wildcard `*`. I want the default value to only be the subset that my query returns.

Any help appreciated, thank you.

rut · ‎04-26-2023

Seeing you specifically want the subset filtered, using a wildcard will not help narrow anything down. Bit of a workaround, but maybe the following helps achieving your goal:

Change the initial value to an empty value
Filter your search by applying your sub-search
Apply the filter field when selected

So, something like:

..
<initialValue></initialValue>
<choice value="">All</choice>
..

<query>
  index="AnIndex" level="warn" 
  ``` Filter by applying a subsearch ```
  | search [ | search index="AnIndex" type="FilterType" | fields resultValue ]
  ``` Filter again when $mytoken$ is not empty and matches myToken ```
  | where len("$mytoken$")=0 OR myToken="$mytoken$"
  | stats count(message)
</query>

cclva · ‎04-26-2023

Thanks for the response.

This looks like it will work, but my dropdown search has a pretty high response time, so I would want to extract that out. I would expect this solution to have to run the inner search multiple times, and I have a lot of panels that use this token.

Inspired me though, would it be possible to write something for the initial value that groups up all the values together, and I can use something like `token in ($mytoken$)`?

rut · ‎04-26-2023

~~I’m not sure if that type of grouping could work.~~ Edit; tested it to be sure. You can use the IN operator with search, but not with where (https://docs.splunk.com/Documentation/SCS/current/SearchReference/SearchCommandExamples#4._Using_the...). Because the "len" command the above suggestion uses where.

Depending on if the data needs to be live you could try scheduling the sub search into a lookup or chain searches using the id and base attribute.

About the chain searches, if performance is an issue and your dashboard panels use the same data source, you could ensure the heavy duty stuff only happens on page load by doing something like this:

<search id="base_search">
    <query>
     index=...
     ``` Apply resource heavy filtering here, which should only be executed on page load ```
    </query>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </search>
  <search base="base_search" id="filtered_search">
    <query>
     ``` Apply dashboard token filtering here ```
     | where name IN ($field1$)
    </query>
  </search>
  <row>
    <panel>
      <event>
        <search base="filtered_search">
          <query>
            ``` Apply panel transforms here, repeat in multiple panels ```
            ...
          </query>
        </search>
      </event>
    </panel>
  </row>

How to create dropdown "all" from dynamic search results?

dashboard

token

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!