Solved: How to limit the 'All' option to what query actual...

sb01splunk · ‎04-11-2022

I would like to be able to limit the 'All' option to what my query actually returns and not for * entries for targetAppAlternateId.

<form theme="dark">
  <label>Logins</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="myApp">
      <label>Application:</label>
      <fieldForLabel>targetAppAlternateId</fieldForLabel>
      <fieldForValue>targetAppAlternateId</fieldForValue>
      <search>
        <query>index=myIndex targetAppAlternateId="App1.*" OR targetAppAlternateId="App2" | dedup targetAppAlternateId
| sort by targetAppAlternateId</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <choice value="*">All</choice>
    </input>

Any help would be greatly appreciated.

kamlesh_vaghela · ‎04-11-2022

@sb01splunk

Can you Please try below example?

<form>
  <label>Limit All Option in Search</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="myApp">
      <label>Application:</label>
      <fieldForLabel>targetAppAlternateId</fieldForLabel>
      <fieldForValue>targetAppAlternateId</fieldForValue>
      <search>
        <query>index=myIndex targetAppAlternateId="App1.*" OR targetAppAlternateId="App2" | dedup targetAppAlternateId
| sort by targetAppAlternateId</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <choice value="*">All</choice>
      <change>
        <condition match="$value$==&quot;*&quot;">
          <set token="condition_tkn">targetAppAlternateId="App1.*" OR targetAppAlternateId="App2"</set>
        </condition>
        <condition>
          <set token="condition_tkn">targetAppAlternateId="$value$"</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        $myApp$ <br/>
        $condition_tkn$
      </html>
    </panel>
  </row>
</form>

My Sample XML :

<form>
  <label>Limit All Option in Search</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="myApp">
      <label>Application:</label>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunk_w* OR sourcetype=splunkd | stats count by sourcetype</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <choice value="*">All</choice>
      <change>
        <condition match="$value$==&quot;*&quot;">
          <set token="condition_tkn">sourcetype=splunk_w* OR sourcetype=splunkd</set>
        </condition>
        <condition>
          <set token="condition_tkn">sourcetype="$value$"</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        $myApp$ <br/>
        $condition_tkn$
      </html>
    </panel>
  </row>
</form>

Thanks
KV

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela · ‎04-11-2022

@sb01splunk

Can you Please try below example?

<form>
  <label>Limit All Option in Search</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="myApp">
      <label>Application:</label>
      <fieldForLabel>targetAppAlternateId</fieldForLabel>
      <fieldForValue>targetAppAlternateId</fieldForValue>
      <search>
        <query>index=myIndex targetAppAlternateId="App1.*" OR targetAppAlternateId="App2" | dedup targetAppAlternateId
| sort by targetAppAlternateId</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <choice value="*">All</choice>
      <change>
        <condition match="$value$==&quot;*&quot;">
          <set token="condition_tkn">targetAppAlternateId="App1.*" OR targetAppAlternateId="App2"</set>
        </condition>
        <condition>
          <set token="condition_tkn">targetAppAlternateId="$value$"</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        $myApp$ <br/>
        $condition_tkn$
      </html>
    </panel>
  </row>
</form>

My Sample XML :

<form>
  <label>Limit All Option in Search</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="myApp">
      <label>Application:</label>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunk_w* OR sourcetype=splunkd | stats count by sourcetype</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <choice value="*">All</choice>
      <change>
        <condition match="$value$==&quot;*&quot;">
          <set token="condition_tkn">sourcetype=splunk_w* OR sourcetype=splunkd</set>
        </condition>
        <condition>
          <set token="condition_tkn">sourcetype="$value$"</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        $myApp$ <br/>
        $condition_tkn$
      </html>
    </panel>
  </row>
</form>

Thanks
KV

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

sb01splunk · ‎04-12-2022

I am sure I am doing something wrong but it is not working for me. Below is the full sample I am testing:

<form theme="dark">
  <label>Logins</label>
  <fieldset submitButton="false">
    <input type="time" token="selectTime">
      <label>Time:</label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="myApp">
      <label>Application:</label>
      <fieldForLabel>targetAppAlternateId</fieldForLabel>
      <fieldForValue>targetAppAlternateId</fieldForValue>
      <search>
        <query>index=myIndex targetAppAlternateId="App1.*" OR targetAppAlternateId="App2" | dedup targetAppAlternateId
| sort by targetAppAlternateId</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <choice value="*">All</choice>
      <change>
        <condition match="$value$==&quot;*&quot;">
          <set token="condition_tkn">targetAppAlternateId="App1.*" OR targetAppAlternateId="App2"</set>
        </condition>
        <condition>
          <set token="condition_tkn">targetAppAlternateId="$value$"</set>
        </condition>
      </change>      
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=myIndex targetAppAlternateId="$myApp$"
| stats count by targetAppAlternateId</query>
          <earliest>$selectTime.earliest$</earliest>
          <latest>$selectTime.latest$</latest>
          <refresh>1m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">none</option>
      </chart>
    </panel>
  </row>
</form>

kamlesh_vaghela · ‎04-12-2022

@sb01splunk

Just update your pie chart search with below one. 🙂

<query>index=myIndex $condition_tkn$
| stats count by targetAppAlternateId</query>

Thanks
KV

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

sb01splunk · ‎04-13-2022

Thank you so much! Works perfectly!

How to limit the 'All' option to what query actually returns and not for * entries for targetAppAlternateId

simple XML

token

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!