Dashboards & Visualizations

How to pass all dynamic dropdowns to search

sandeepmakkena
Contributor

I have two dropdowns

Dropdown one:
Groups all the status codes, which will display "Client Error" OR "Server Error"
Dropdown two:
Is auto-populated depending on Dropdown one.

For example:
If Client Error is selected in Dropdown one, Dropdown two will have options like 404,401,405, etc. My default value is * (ALL) but, when it is passed to the search it is searching all the values with other than Client Error.

I can group eval a group in all the searches, but I don't want to do that.
The only other way is to pass all the value that is dynamically populated file to search with OR delimiter.

Just to make it clear if Dropdown1: Client error
and Dropdown 2: 400
404
406

Search should look like something like this: host=* statuscode= 400 OR 404 OR 406 | stats count by statuscode.

<input type="dropdown" token="status" searchWhenChanged="true">
      <label>Select response status code:</label>
      <choice value="*">ALL</choice>
       <change>
        <condition label="ALL">
         <set token="status">$value$</set>
        </condition>
      </change>
      <fieldForLabel>s</fieldForLabel>
      <fieldForValue>s</fieldForValue>
      <search>
        <query>index=XXX "app"=D forwApp=$App$ host=$host$
| rename resStatus as s
| eval Tstatus=case(like(s, "1%"),"Informational",like(s, "2%"),"Success",like(s, "3%"),"Redirection",like(s, "4%"),"Client Error",like(s, "5%"),"Server Error") 
| search Tstatus="$field3$"
| dedup s</query>
        <earliest>$field1.earliest$</earliest>
        <latest>$field1.latest$</latest>
      </search>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="dropdown" token="field3" searchWhenChanged="true">
      <label>Select response status:</label>
      <choice value="*">ALL</choice>
      <fieldForLabel>status</fieldForLabel>
      <fieldForValue>status</fieldForValue>
      <search>
        <query>index=XXX "app"=D forwApp=$App$ host=$host$ 
| rename resStatus as s
| eval status=case(like(s, "1%"),"Informational",like(s, "2%"),"Success",like(s, "3%"),"Redirection",like(s, "4%"),"Client Error",like(s, "5%"),"Server Error") 
| dedup status</query>
        <earliest>$field1.earliest$</earliest>
        <latest>$field1.latest$</latest>
      </search>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>

That is the code I'm using.
Thanks for your time!

0 Karma

arjunpkishore5
Motivator

If i understand your query right, you don't want to use * but you want to explicitly specify values like val1 OR val2 etc

To do this you'll have to add a few lines(lines 6 - 12) to the end of the query as shown here

index=XXX "app"=D forwApp=$App$ host=$host$ 
| rename resStatus as s 
| eval Tstatus=case(like(s, "1%"),"Informational",like(s, "2%"),"Success",like(s, "3%"),"Redirection",like(s, "4%"),"Client Error",like(s, "5%"),"Server Error") 
| search Tstatus="$field3$" 
| dedup s 
| rename s as search 
| appendpipe 
    [| format] 
| rename search as label 
| eval value=label 
| eval label=if(match(label,"OR"), "ALL", label), sortord=if(label=="ALL", 0, value) 
| sort sortord

The sortord is just there to ensure that ALL appears first on the list. you can omit that if you don't need it.
Your input will just have the following.

<input type="dropdown" token="status" searchWhenChanged="true">
       <label>Select response status code:</label>

       <fieldForLabel>s</fieldForLabel>
       <fieldForValue>s</fieldForValue>
       <search>
         <query>index=XXX "app"=D forwApp=$App$ host=$host$ 
| rename resStatus as s 
| eval Tstatus=case(like(s, "1%"),"Informational",like(s, "2%"),"Success",like(s, "3%"),"Redirection",like(s, "4%"),"Client Error",like(s, "5%"),"Server Error") 
| search Tstatus="$field3$" 
| dedup s 
| rename s as search 
| appendpipe 
    [| format] 
| rename search as label 
| eval value=label 
| eval label=if(match(label,"OR"), "ALL", label), sortord=if(label=="ALL", 0, value) 
| sort sortord</query>
         <earliest>$field1.earliest$</earliest>
         <latest>$field1.latest$</latest>
       </search>

     </input>

Note: This will only work if your search has any results. IF not, your input will never populate

Hope this helps
Cheers!

0 Karma

woodcock
Esteemed Legend

Do it like this:

...
  <fieldset autoRun="false" submitButton="true">
    <input type="dropdown" token="statuscodeToken" searchWhenChanged="false">
      <label>Select an Application:</label>
      <prefix>statuscode IN(</prefix>
      <suffix>)</suffix>
      <choice value="400, 404, 406">All</choice>
      <fieldForLabel>label</fieldForLabel>
      <fieldForValue>value</fieldForValue>
      <search>
        <query>| inputlookup YourLookupHere.csv | rename YourFieldHere AS label | eval value = label</query>
        <earliest>-1s</earliest>
        <latest>now</latest>
      </search>
...

Then, in your search, just do like this:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=AndSourcdetypeToo $statuscodeToken$
0 Karma

sandeepmakkena
Contributor

@woodcock thanks for your response, I just updated my question with the code I'm using can you update your answer with that code, please.
Thanks!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...