Dashboards & Visualizations

How to populate one search field on basis of other two search field values?

Digvijay
Path Finder

Splunk_search.PNG

 

I want to populate Operation field on basis of API and METHOD field values .

My code :

<input type="dropdown" token="tkn_ OPERATION">
<label>Select Operation:</label>
<fieldForLabel>OPERATION</fieldForLabel>
<fieldForValue>OPERATION</fieldForValue>
<search>
<query>| makeresults | eval API="party_interaction_rest" AND METHOD="GET",OPERATION="Alle,LIST_PARTY_INTERACTIONS" |
append [| makeresults | eval API="ticket_mgmt_rest" AND METHOD="GET",OPERATION="Alle,LIST_TROUBLE_TICKETS"] | eval OPERATION=split(OPERATION,",")
|mvexpand OPERATION| table API METHOD OPERATION | search API="$token_service$" METHOD="$token_method$"</query>
</search>

 

Above code is not working.

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

There are a few problems with the dashboard code. 

The OPERATION token has a space in the name

Extraneous AND keywords in an eval command 

A token prefix setting prevented matching of the token value.

See my test code below.

<form>
  <fieldset>
    <input type="dropdown" token="token_service" searchWhenChanged="true">
      <label>Select API:</label>
      <choice value="party_interaction_rest">PARTY INTERACTION</choice>
      <choice value="ticket_mgmt_rest">TICKET MANAGEMENT</choice>
      <choice value="customer_management_rest">CUSTOMER MANAGEMENT</choice>
      <choice value="agreement_management_rest">AGREEMENT MANAGEMENT</choice>
      <choice value="product_order_rest">PRODUCT ORDER</choice>
      <choice value="cust_comm_rest">CUSTOMER COMMUNICATION</choice>
      <choice value="product_inv_rest">PRODUCT INVENTORY</choice>
      <change>
        <condition label="PARTY INTERACTION">
          <set token="sourcetyp">$value$</set>
          <set token="src">http:party_interaction_rest</set>
          <set token="uuid">"properties.o2-PartyInteraction-ReqId"</set>
        </condition>
        <condition label="TICKET MANAGEMENT">
          <set token="sourcetyp">$value$</set>
          <set token="src">http:ticket_mgmt_rest</set>
          <set token="uuid">"properties.o2-TroubleTicket-ReqId"</set>
        </condition>
        <condition label="CUSTOMER MANAGEMENT">
          <set token="sourcetyp">$value$</set>
          <set token="src">http:customer_management_rest</set>
          <set token="uuid">"properties.o2-CustomerManagement-ReqId"</set>
        </condition>
        <condition label="AGREEMENT MANAGEMENT">
          <set token="sourcetyp">$value$</set>
          <set token="src">http:agreement_management_rest</set>
          <set token="uuid">"properties.o2-Agreement-ReqId"</set>
        </condition>
        <condition label="PRODUCT ORDER">
          <set token="sourcetyp">$value$</set>
          <set token="src">http:product_order_rest</set>
          <set token="uuid">"properties.o2-ProductOrder-ReqId"</set>
        </condition>
        <condition label="CUSTOMER COMMUNICATION">
          <set token="sourcetyp">$value$</set>
          <set token="src">http:cust_comm_rest</set>
          <set token="uuid">"properties.o2-Communications-ReqId"</set>
        </condition>
        <condition label="PRODUCT INVENTORY">
          <set token="sourcetyp">$value$</set>
          <set token="src">http:product_inv_rest</set>
          <set token="uuid">"properties.o2-Product-ReqId"</set>
        </condition>
      </change>
      <default>ticket_mgmt_rest</default>
      <initialValue>ticket_mgmt_rest</initialValue>
    </input>
    <input type="dropdown" token="token_method" searchWhenChanged="true">
      <label>Select Method:</label>
      <fieldForLabel>METHOD</fieldForLabel>
      <fieldForValue>METHOD</fieldForValue>
      <search>
        <query>| makeresults | eval API="party_interaction_rest",METHOD="Alle,GET,POST" |
append [| makeresults | eval API="ticket_mgmt_rest",METHOD="Alle,GET,POST,PATCH"] |
append [| makeresults | eval API="customer_management_rest",METHOD="Alle,GET,PATCH"] |
append [| makeresults | eval API="agreement_management_rest",METHOD="Alle,GET"] |
append [| makeresults | eval API="product_order_rest",METHOD="Alle,GET,POST,PATCH,DELETE"] |
append [| makeresults | eval API="cust_comm_rest",METHOD="Alle,GET"] |
append [| makeresults | eval API="product_inv_rest",METHOD="Alle,GET,POST,PATCH"] | eval METHOD=split(METHOD,",")
|mvexpand METHOD| table API METHOD | search API="$token_service$"</query>
      </search>
      <change>
        <condition value="Alle">
          <set token="token_method">*</set>
        </condition>
      </change>
      <default>Alle</default>
      <initialValue>Alle</initialValue>
    </input>
    <input type="dropdown" token="tkn_OPERATION" searchWhenChanged="true">
      <label>Select Operation:</label>
      <fieldForLabel>OPERATION</fieldForLabel>
      <fieldForValue>OPERATION</fieldForValue>
      <search>
        <query>| makeresults 
| eval API="party_interaction_rest", METHOD="GET",OPERATION="Alle,LIST_PARTY_INTERACTIONS" 
| append 
    [| makeresults 
    | eval API="ticket_mgmt_rest", METHOD="GET",OPERATION="Alle,LIST_TROUBLE_TICKETS"] 
| eval OPERATION=split(OPERATION,",") 
| mvexpand OPERATION 
| table API METHOD OPERATION 
| search API=$token_service|s$ METHOD=$token_method|s$</query>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|  makeresults 
|  eval Method=$token_method|s$, Service=$token_service|s$
|  table Service Method</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Please explain "code is not working".  What results do you get?  What results do you expect?  Are there any error messages?

Please share the code for the other tokens (token_service and token_method).

---
If this reply helps you, Karma would be appreciated.

Digvijay
Path Finder

Please find code for other tokens -

<input type="dropdown" token="token_service" searchWhenChanged="true">
<label>Select API:</label>
<choice value="party_interaction_rest">PARTY INTERACTION</choice>
<choice value="ticket_mgmt_rest">TICKET MANAGEMENT</choice>
<choice value="customer_management_rest">CUSTOMER MANAGEMENT</choice>
<choice value="agreement_management_rest">AGREEMENT MANAGEMENT</choice>
<choice value="product_order_rest">PRODUCT ORDER</choice>
<choice value="cust_comm_rest">CUSTOMER COMMUNICATION</choice>
<choice value="product_inv_rest">PRODUCT INVENTORY</choice>
<change>
<condition label="PARTY INTERACTION">
<set token="sourcetyp">$value$</set>
<set token="src">http:party_interaction_rest</set>
<set token="uuid">"properties.o2-PartyInteraction-ReqId"</set>
</condition>
<condition label="TICKET MANAGEMENT">
<set token="sourcetyp">$value$</set>
<set token="src">http:ticket_mgmt_rest</set>
<set token="uuid">"properties.o2-TroubleTicket-ReqId"</set>
</condition>
<condition label="CUSTOMER MANAGEMENT">
<set token="sourcetyp">$value$</set>
<set token="src">http:customer_management_rest</set>
<set token="uuid">"properties.o2-CustomerManagement-ReqId"</set>
</condition>
<condition label="AGREEMENT MANAGEMENT">
<set token="sourcetyp">$value$</set>
<set token="src">http:agreement_management_rest</set>
<set token="uuid">"properties.o2-Agreement-ReqId"</set>
</condition>
<condition label="PRODUCT ORDER">
<set token="sourcetyp">$value$</set>
<set token="src">http:product_order_rest</set>
<set token="uuid">"properties.o2-ProductOrder-ReqId"</set>
</condition>
<condition label="CUSTOMER COMMUNICATION">
<set token="sourcetyp">$value$</set>
<set token="src">http:cust_comm_rest</set>
<set token="uuid">"properties.o2-Communications-ReqId"</set>
</condition>
<condition label="PRODUCT INVENTORY">
<set token="sourcetyp">$value$</set>
<set token="src">http:product_inv_rest</set>
<set token="uuid">"properties.o2-Product-ReqId"</set>
</condition>
</change>
<default>ticket_mgmt_rest</default>
<initialValue>ticket_mgmt_rest</initialValue>
</input>
<input type="dropdown" token="token_method" searchWhenChanged="true">
<label>Select Method:</label>
<fieldForLabel>METHOD</fieldForLabel>
<fieldForValue>METHOD</fieldForValue>
<search>
<query>| makeresults | eval API="party_interaction_rest",METHOD="Alle,GET,POST" |
append [| makeresults | eval API="ticket_mgmt_rest",METHOD="Alle,GET,POST,PATCH"] |
append [| makeresults | eval API="customer_management_rest",METHOD="Alle,GET,PATCH"] |
append [| makeresults | eval API="agreement_management_rest",METHOD="Alle,GET"] |
append [| makeresults | eval API="product_order_rest",METHOD="Alle,GET,POST,PATCH,DELETE"] |
append [| makeresults | eval API="cust_comm_rest",METHOD="Alle,GET"] |
append [| makeresults | eval API="product_inv_rest",METHOD="Alle,GET,POST,PATCH"] | eval METHOD=split(METHOD,",")
|mvexpand METHOD| table API METHOD | search API="$token_service$"</query>
</search>
<change>
<condition value="Alle">
<set token="token_method">*</set>
</condition>
</change>
<default>Alle</default>
<prefix>"properties.httpMethod"=</prefix>
<initialValue>Alle</initialValue>
</input>
Tags (1)
0 Karma

Digvijay
Path Finder

I am not getting any error message its just values are not getting populated in operation field. It is working previously when I filter operation on basis of API only.

0 Karma

Digvijay
Path Finder

Haven't found correct solution yet.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There are a few problems with the dashboard code. 

The OPERATION token has a space in the name

Extraneous AND keywords in an eval command 

A token prefix setting prevented matching of the token value.

See my test code below.

<form>
  <fieldset>
    <input type="dropdown" token="token_service" searchWhenChanged="true">
      <label>Select API:</label>
      <choice value="party_interaction_rest">PARTY INTERACTION</choice>
      <choice value="ticket_mgmt_rest">TICKET MANAGEMENT</choice>
      <choice value="customer_management_rest">CUSTOMER MANAGEMENT</choice>
      <choice value="agreement_management_rest">AGREEMENT MANAGEMENT</choice>
      <choice value="product_order_rest">PRODUCT ORDER</choice>
      <choice value="cust_comm_rest">CUSTOMER COMMUNICATION</choice>
      <choice value="product_inv_rest">PRODUCT INVENTORY</choice>
      <change>
        <condition label="PARTY INTERACTION">
          <set token="sourcetyp">$value$</set>
          <set token="src">http:party_interaction_rest</set>
          <set token="uuid">"properties.o2-PartyInteraction-ReqId"</set>
        </condition>
        <condition label="TICKET MANAGEMENT">
          <set token="sourcetyp">$value$</set>
          <set token="src">http:ticket_mgmt_rest</set>
          <set token="uuid">"properties.o2-TroubleTicket-ReqId"</set>
        </condition>
        <condition label="CUSTOMER MANAGEMENT">
          <set token="sourcetyp">$value$</set>
          <set token="src">http:customer_management_rest</set>
          <set token="uuid">"properties.o2-CustomerManagement-ReqId"</set>
        </condition>
        <condition label="AGREEMENT MANAGEMENT">
          <set token="sourcetyp">$value$</set>
          <set token="src">http:agreement_management_rest</set>
          <set token="uuid">"properties.o2-Agreement-ReqId"</set>
        </condition>
        <condition label="PRODUCT ORDER">
          <set token="sourcetyp">$value$</set>
          <set token="src">http:product_order_rest</set>
          <set token="uuid">"properties.o2-ProductOrder-ReqId"</set>
        </condition>
        <condition label="CUSTOMER COMMUNICATION">
          <set token="sourcetyp">$value$</set>
          <set token="src">http:cust_comm_rest</set>
          <set token="uuid">"properties.o2-Communications-ReqId"</set>
        </condition>
        <condition label="PRODUCT INVENTORY">
          <set token="sourcetyp">$value$</set>
          <set token="src">http:product_inv_rest</set>
          <set token="uuid">"properties.o2-Product-ReqId"</set>
        </condition>
      </change>
      <default>ticket_mgmt_rest</default>
      <initialValue>ticket_mgmt_rest</initialValue>
    </input>
    <input type="dropdown" token="token_method" searchWhenChanged="true">
      <label>Select Method:</label>
      <fieldForLabel>METHOD</fieldForLabel>
      <fieldForValue>METHOD</fieldForValue>
      <search>
        <query>| makeresults | eval API="party_interaction_rest",METHOD="Alle,GET,POST" |
append [| makeresults | eval API="ticket_mgmt_rest",METHOD="Alle,GET,POST,PATCH"] |
append [| makeresults | eval API="customer_management_rest",METHOD="Alle,GET,PATCH"] |
append [| makeresults | eval API="agreement_management_rest",METHOD="Alle,GET"] |
append [| makeresults | eval API="product_order_rest",METHOD="Alle,GET,POST,PATCH,DELETE"] |
append [| makeresults | eval API="cust_comm_rest",METHOD="Alle,GET"] |
append [| makeresults | eval API="product_inv_rest",METHOD="Alle,GET,POST,PATCH"] | eval METHOD=split(METHOD,",")
|mvexpand METHOD| table API METHOD | search API="$token_service$"</query>
      </search>
      <change>
        <condition value="Alle">
          <set token="token_method">*</set>
        </condition>
      </change>
      <default>Alle</default>
      <initialValue>Alle</initialValue>
    </input>
    <input type="dropdown" token="tkn_OPERATION" searchWhenChanged="true">
      <label>Select Operation:</label>
      <fieldForLabel>OPERATION</fieldForLabel>
      <fieldForValue>OPERATION</fieldForValue>
      <search>
        <query>| makeresults 
| eval API="party_interaction_rest", METHOD="GET",OPERATION="Alle,LIST_PARTY_INTERACTIONS" 
| append 
    [| makeresults 
    | eval API="ticket_mgmt_rest", METHOD="GET",OPERATION="Alle,LIST_TROUBLE_TICKETS"] 
| eval OPERATION=split(OPERATION,",") 
| mvexpand OPERATION 
| table API METHOD OPERATION 
| search API=$token_service|s$ METHOD=$token_method|s$</query>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|  makeresults 
|  eval Method=$token_method|s$, Service=$token_service|s$
|  table Service Method</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
---
If this reply helps you, Karma would be appreciated.

Digvijay
Path Finder

@richgalloway ,

Thanks for your reply , now my search is working fine .Only one help needed now - How to reset the values for dropdown 'METHOD' ,'OPERATION' on selection of 'API' . And also sometimes its giving me error below 'OPERATION' dropdown that duplicate values due to conflict

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm not sure how to have one token reset another, but perhaps you could use a <change> element in one token to unset the downstream tokens.

To avoid the "duplicate values" error, make sure your token searches return unique results.  Use dedup or stats as necessary.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Digvijay
Path Finder

@richgalloway ;

I am not able to filter operation field correctly . Can you guide me how I can perform above thing using lookup file?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

To use a lookup, replace the operation query with one that reads the lookup file.  Assuming the lookup file is called "mylookup.csv" and has fields API, METHOD, and OPERATION then this is a possible query.

| inputlookup mylookup.csv where API=$token_service|s$ METHOD=$token_method|s$
| dedup OPERATION
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...