Solved: How to segregate the dropdown ALL values ?

karthi2809

Thanks In Advance.

I am using dropdown values for my requirement. In the dropdown i am using token and getting the values from inputlookup and i will pass the value to splunk query.There are two dropdown one is application Name another one interface name.If i select values i am getting result .If select ALL and the values shows *.in the splunk query.Instead of * .I want to gey values like OR conditions.If i the token getting * then it showing all the values.But i want to show the values which is comming from inputlookup values both application name and interface name.

When i am selecting ALL my splunk query like this:

index=mulesoft environment=PRD (applicationName="*" OR priority IN ("ERROR", "WARN"))
| stats values(*) AS * BY correlationId applicationName
| rename content.InterfaceName AS InterfaceName 
   content.FileList{} AS FileList
   content.Filename as FileName 
   content.ErrorMsg as ErrorMsg   
| eval  Status=case(priority="ERROR","ERROR", priority="WARN","WARN", priority!="ERROR","SUCCESS") 
| fields Status InterfaceName applicationName FileList FileName correlationId ErrorMsg message 
| search  InterfaceName="*" FileList="*"
| sort -timestamp | sort -timestamp

I am expecting :

index=mulesoft environment=PRD applicationName IN ("Test1" OR "TEST2" OR "Test3") OR priority IN ("ERROR", "WARN")
| stats values(*) AS * BY correlationId applicationName
| rename content.InterfaceName AS InterfaceName 
   content.FileList{} AS FileList
   content.Filename as FileName 
   content.ErrorMsg as ErrorMsg   
| eval  Status=case(priority="ERROR","ERROR", priority="WARN","WARN", priority!="ERROR","SUCCESS") 
| fields Status InterfaceName applicationName FileList FileName correlationId ErrorMsg message 
| search  InterfaceName IN ("aa" OR "bb" OR "cc") AND FileList="*"
| sort -timestamp | sort -timestamp

 
DropDown Code
</input><input type="dropdown" token="BankApp" searchWhenChanged="true" depends="$BankDropDown$"> 
   <label>ApplicationName</label> 
   <choice value="*">All</choice> 
   <search> 
      <query> 
         | inputlookup BankIntegration.csv 
         | dedup applicationName 
         | sort applicationName 
         | table applicationName 
      </query> 
   </search> 
   <fieldForLabel>applicationName</fieldForLabel> 
   <fieldForValue>applicationName</fieldForValue> 
   <default>*</default> 
   <prefix>applicationName="</prefix> 
   <suffix>"</suffix> 
</input> 
<input type="dropdown" token="interface" searchWhenChanged="true" depends="$BankDropDown$"> 
   <label>InterfaceName</label> 
   <choice value="*">All</choice> 
   <search> 
      <query> 
         | inputlookup BankIntegration.csv 
         | search $BankApp$ 
         | sort InterfaceName 
         | table InterfaceName 
      </query> 
   </search> 
   <fieldForLabel>InterfaceName</fieldForLabel> 
   <fieldForValue>InterfaceName</fieldForValue> 
   <default>*</default> 
   <prefix>InterfaceName="</prefix> 
   <suffix>"</suffix> 
</input>

kamlesh_vaghela

@karthi2809

Please check the below sample XML. Observe `new_value` token and use in your search.

<form version="1.1" theme="dark">
  <label>Application</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="BankApp" searchWhenChanged="true">
      <label>ApplicationName</label>
      <choice value="*">All</choice>
      <search>
        <query> 
         | makeresults | eval applicationName="Test1,Test2,Test3" | eval applicationName=split(applicationName,",") | stats count by applicationName | table applicationName
      </query>
      </search>
      <fieldForLabel>applicationName</fieldForLabel>
      <fieldForValue>applicationName</fieldForValue>
      <default>*</default>
      <prefix>applicationName="</prefix>
      <suffix>"</suffix>
      <change>
        <condition match="$value$==&quot;*&quot;">
          <set token="new_value">applicationName IN ("Test1" OR "TEST2" OR "Test3")</set>
        </condition>
        <condition>
          <set token="new_value">applicationName = $BankApp$</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        Dropdown Value = $BankApp$
        <br/>
        new_value= $new_value$
      </html>
    </panel>
  </row>
</form>

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela

@karthi2809

Please check the below sample XML. Observe `new_value` token and use in your search.

<form version="1.1" theme="dark">
  <label>Application</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="BankApp" searchWhenChanged="true">
      <label>ApplicationName</label>
      <choice value="*">All</choice>
      <search>
        <query> 
         | makeresults | eval applicationName="Test1,Test2,Test3" | eval applicationName=split(applicationName,",") | stats count by applicationName | table applicationName
      </query>
      </search>
      <fieldForLabel>applicationName</fieldForLabel>
      <fieldForValue>applicationName</fieldForValue>
      <default>*</default>
      <prefix>applicationName="</prefix>
      <suffix>"</suffix>
      <change>
        <condition match="$value$==&quot;*&quot;">
          <set token="new_value">applicationName IN ("Test1" OR "TEST2" OR "Test3")</set>
        </condition>
        <condition>
          <set token="new_value">applicationName = $BankApp$</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        Dropdown Value = $BankApp$
        <br/>
        new_value= $new_value$
      </html>
    </panel>
  </row>
</form>

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

karthi2809

For application Name its working .for interface name how to map the application name

Application Name : Test 1,Test 2

In Test 1 application name have 3 interface name aa,bb,cc

In Test 2 application name have 5 interface name ww,dd,ff,gg,hh.

Already i am getting value from inputlookup .How can i map application name to interface name

kamlesh_vaghela

@karthi2809

Try using `new_value` as a filter in the Interface Drop down.

karthi2809

I am using like this.But its not mapping

<input type="dropdown" token="interface" searchWhenChanged="true" depends="$BankDropDown$">
        <label>InterfaceName</label>
         <choice value="*">All</choice>
      <search>
        <query> 
          | inputlookup BankIntegration.csv 
       | search $new_value$
       | eval InterfaceName=split(InterfaceName,",") | stats count by InterfaceName | table InterfaceName
      </query>
      </search>
      <fieldForLabel>InterfaceName</fieldForLabel>
      <fieldForValue>InterfaceName</fieldForValue>
      <default>*</default>
      <prefix>InterfaceName="</prefix>
      <suffix>"</suffix>
      <change>
        <condition match="$value$==&quot;*&quot;">
          <set token="new_interface">InterfaceName IN (
"USBANK_KYRIBA_ORACLE_CE_BANKSTMTS_INOUT",
"USBANK_AP_POSITIVE_PAY",
"HSBC_NA_AP_ACH",
"USBANK_AP_ACH",
"HSBC_EU_KYRIBA_CE_BANKSTMTS_TWIST_INOUT")</set>
        </condition>
        <condition>
          <set token="new_interface">$interface$</set>
        </condition>
      </change>
      </input>

kamlesh_vaghela

@karthi2809

Are you looking for this?

<form version="1.1" theme="dark">
  <label>Application</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="BankApp" searchWhenChanged="true">
      <label>ApplicationName</label>
      <choice value="*">All</choice>
      <search>
        <query> 
         | makeresults | eval applicationName="Test1,Test2,Test3" | eval applicationName=split(applicationName,",") | stats count by applicationName | table applicationName
      </query>
      </search>
      <fieldForLabel>applicationName</fieldForLabel>
      <fieldForValue>applicationName</fieldForValue>
      <default>*</default>
      <prefix>applicationName="</prefix>
      <suffix>"</suffix>
      <change>
        <condition match="$value$==&quot;*&quot;">
          <set token="new_value">applicationName IN ("Test1" , "TEST2" , "Test3")</set>
        </condition>
        <condition>
          <set token="new_value">$BankApp$</set>
        </condition>
      </change>
    </input>
    <input type="dropdown" token="interface" searchWhenChanged="true">
        <label>InterfaceName</label>
         <choice value="*">All</choice>
      <search>
        <query> 
          | inputlookup BankIntegration.csv 
       | search $new_value$
       | eval InterfaceName=split(InterfaceName,",") | stats count by InterfaceName | table InterfaceName
      </query>
      </search>
      <fieldForLabel>InterfaceName</fieldForLabel>
      <fieldForValue>InterfaceName</fieldForValue>
      <default>*</default>
      <prefix>InterfaceName="</prefix>
      <suffix>"</suffix>
      <change>
        <condition match="$value$==&quot;*&quot;">
          <set token="new_interface">InterfaceName IN (
"USBANK_KYRIBA_ORACLE_CE_BANKSTMTS_INOUT",
"USBANK_AP_POSITIVE_PAY",
"HSBC_NA_AP_ACH",
"USBANK_AP_ACH",
"HSBC_EU_KYRIBA_CE_BANKSTMTS_TWIST_INOUT")</set>
        </condition>
        <condition>
          <set token="new_interface">$interface$</set>
        </condition>
      </change>
      </input>
  </fieldset>
  <row>
    <panel>
      <html>
        Dropdown Value = $BankApp$
        <br/>
        new_value= $new_value$
        <br/>
        new_interface = $new_interface$
        <br/>
        | inputlookup BankIntegration.csv 
       | search $new_value$
       | eval InterfaceName=split(InterfaceName,",") | stats count by InterfaceName | table InterfaceName
      </html>
    </panel>
  </row>
</form>

How to segregate the dropdown ALL values ?

Classic dashboard

token

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases