Dashboards & Visualizations

How to pass all dynamic dropdowns to search

Contributor

I have two dropdowns

Dropdown one:
Groups all the status codes, which will display "Client Error" OR "Server Error"
Dropdown two:
Is auto-populated depending on Dropdown one.

For example:
If Client Error is selected in Dropdown one, Dropdown two will have options like 404,401,405, etc. My default value is * (ALL) but, when it is passed to the search it is searching all the values with other than Client Error.

I can group eval a group in all the searches, but I don't want to do that.
The only other way is to pass all the value that is dynamically populated file to search with OR delimiter.

Just to make it clear if Dropdown1: Client error
and Dropdown 2: 400
404
406

Search should look like something like this: host=* statuscode= 400 OR 404 OR 406 | stats count by statuscode.

<input type="dropdown" token="status" searchWhenChanged="true">
      <label>Select response status code:</label>
      <choice value="*">ALL</choice>
       <change>
        <condition label="ALL">
         <set token="status">$value$</set>
        </condition>
      </change>
      <fieldForLabel>s</fieldForLabel>
      <fieldForValue>s</fieldForValue>
      <search>
        <query>index=XXX "app"=D forwApp=$App$ host=$host$
| rename resStatus as s
| eval Tstatus=case(like(s, "1%"),"Informational",like(s, "2%"),"Success",like(s, "3%"),"Redirection",like(s, "4%"),"Client Error",like(s, "5%"),"Server Error") 
| search Tstatus="$field3$"
| dedup s</query>
        <earliest>$field1.earliest$</earliest>
        <latest>$field1.latest$</latest>
      </search>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="dropdown" token="field3" searchWhenChanged="true">
      <label>Select response status:</label>
      <choice value="*">ALL</choice>
      <fieldForLabel>status</fieldForLabel>
      <fieldForValue>status</fieldForValue>
      <search>
        <query>index=XXX "app"=D forwApp=$App$ host=$host$ 
| rename resStatus as s
| eval status=case(like(s, "1%"),"Informational",like(s, "2%"),"Success",like(s, "3%"),"Redirection",like(s, "4%"),"Client Error",like(s, "5%"),"Server Error") 
| dedup status</query>
        <earliest>$field1.earliest$</earliest>
        <latest>$field1.latest$</latest>
      </search>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>

That is the code I'm using.
Thanks for your time!

0 Karma

Motivator

If i understand your query right, you don't want to use * but you want to explicitly specify values like val1 OR val2 etc

To do this you'll have to add a few lines(lines 6 - 12) to the end of the query as shown here

index=XXX "app"=D forwApp=$App$ host=$host$ 
| rename resStatus as s 
| eval Tstatus=case(like(s, "1%"),"Informational",like(s, "2%"),"Success",like(s, "3%"),"Redirection",like(s, "4%"),"Client Error",like(s, "5%"),"Server Error") 
| search Tstatus="$field3$" 
| dedup s 
| rename s as search 
| appendpipe 
    [| format] 
| rename search as label 
| eval value=label 
| eval label=if(match(label,"OR"), "ALL", label), sortord=if(label=="ALL", 0, value) 
| sort sortord

The sortord is just there to ensure that ALL appears first on the list. you can omit that if you don't need it.
Your input will just have the following.

<input type="dropdown" token="status" searchWhenChanged="true">
       <label>Select response status code:</label>

       <fieldForLabel>s</fieldForLabel>
       <fieldForValue>s</fieldForValue>
       <search>
         <query>index=XXX "app"=D forwApp=$App$ host=$host$ 
| rename resStatus as s 
| eval Tstatus=case(like(s, "1%"),"Informational",like(s, "2%"),"Success",like(s, "3%"),"Redirection",like(s, "4%"),"Client Error",like(s, "5%"),"Server Error") 
| search Tstatus="$field3$" 
| dedup s 
| rename s as search 
| appendpipe 
    [| format] 
| rename search as label 
| eval value=label 
| eval label=if(match(label,"OR"), "ALL", label), sortord=if(label=="ALL", 0, value) 
| sort sortord</query>
         <earliest>$field1.earliest$</earliest>
         <latest>$field1.latest$</latest>
       </search>

     </input>

Note: This will only work if your search has any results. IF not, your input will never populate

Hope this helps
Cheers!

0 Karma

Esteemed Legend

Do it like this:

...
  <fieldset autoRun="false" submitButton="true">
    <input type="dropdown" token="statuscodeToken" searchWhenChanged="false">
      <label>Select an Application:</label>
      <prefix>statuscode IN(</prefix>
      <suffix>)</suffix>
      <choice value="400, 404, 406">All</choice>
      <fieldForLabel>label</fieldForLabel>
      <fieldForValue>value</fieldForValue>
      <search>
        <query>| inputlookup YourLookupHere.csv | rename YourFieldHere AS label | eval value = label</query>
        <earliest>-1s</earliest>
        <latest>now</latest>
      </search>
...

Then, in your search, just do like this:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=AndSourcdetypeToo $statuscodeToken$
0 Karma

Contributor

@woodcock thanks for your response, I just updated my question with the code I'm using can you update your answer with that code, please.
Thanks!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!