Dashboards & Visualizations

How to set a token based on drop down values

manjuase
Explorer

Hi all,

I have one drop down(dropdown1) which will display the current user logged into splunk using the below query.

|rest splunk_server=local /services/authentication/current-context

And i have another dropdown (dropdown2) which should display the values based on the value on dropdown1

that is if dropdown1 is having admin then dropdown 2 should run a query1 and display values in the dropdown2, if dropdown1 having users other than admin dropdown2 should run a query2 and display values in the dropdown2..

Over all my expectation is can we run a two different query for a same dropdown based on the value chosen in dropdown1.

p.s: dropdown1 will be having only one username since it is showing current user logged in.

please help me out on this. Thanks in advance

0 Karma
1 Solution

niketn
Legend

@manjuase in order for the community to assist you better please add more details like what is the code you are using and what is the data on which you are planning to work on. Based on the description seems like the REST API query gives you roles in a dropdown from where you want to run one of the two SPLs i.e. If selected role is admin, run SPL 1 otherwise run SPL2. Please find below a sample dashboard which implements the same.
Following snipped checked for selected dropdown value as admin and sets the first SPL as a token. Otherwise it sets a different SPL as the same token tokSPL to be used in actual search query.

   <change>
     <condition value="admin">
       <set token="tokSPL">| makeresults
       | fields - _time
       | eval selectedRole="Admin Role: $value$"</set>
     </condition>
     <condition>
       <set token="tokSPL">| makeresults
       | fields - _time
       | eval selectedRole="Some Other Role: $value$"</set>
     </condition>
   </change>

Following is the run anywhere Simple XML dashboard example:

<form>
  <label>Dropdown based SPL</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="field1">
      <label>field1</label>
      <fieldForLabel>roles</fieldForLabel>
      <fieldForValue>roles</fieldForValue>
      <search>
        <query>| rest splunk_server=local /services/authentication/current-context 
| fields roles
| mvexpand roles
| dedup roles</query>
      </search>
      <change>
        <condition value="admin">
          <set token="tokSPL">| makeresults
          | fields - _time
          | eval selectedRole="Admin Role: $value$"</set>
        </condition>
        <condition>
          <set token="tokSPL">| makeresults
          | fields - _time
          | eval selectedRole="Some Other Role: $value$"</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>$tokSPL$</query>
        </search>  
      </table>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@manjuase in order for the community to assist you better please add more details like what is the code you are using and what is the data on which you are planning to work on. Based on the description seems like the REST API query gives you roles in a dropdown from where you want to run one of the two SPLs i.e. If selected role is admin, run SPL 1 otherwise run SPL2. Please find below a sample dashboard which implements the same.
Following snipped checked for selected dropdown value as admin and sets the first SPL as a token. Otherwise it sets a different SPL as the same token tokSPL to be used in actual search query.

   <change>
     <condition value="admin">
       <set token="tokSPL">| makeresults
       | fields - _time
       | eval selectedRole="Admin Role: $value$"</set>
     </condition>
     <condition>
       <set token="tokSPL">| makeresults
       | fields - _time
       | eval selectedRole="Some Other Role: $value$"</set>
     </condition>
   </change>

Following is the run anywhere Simple XML dashboard example:

<form>
  <label>Dropdown based SPL</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="field1">
      <label>field1</label>
      <fieldForLabel>roles</fieldForLabel>
      <fieldForValue>roles</fieldForValue>
      <search>
        <query>| rest splunk_server=local /services/authentication/current-context 
| fields roles
| mvexpand roles
| dedup roles</query>
      </search>
      <change>
        <condition value="admin">
          <set token="tokSPL">| makeresults
          | fields - _time
          | eval selectedRole="Admin Role: $value$"</set>
        </condition>
        <condition>
          <set token="tokSPL">| makeresults
          | fields - _time
          | eval selectedRole="Some Other Role: $value$"</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>$tokSPL$</query>
        </search>  
      </table>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

astockmeister_s
Explorer

How do I do this in Dashboard Studio JSON configuration?  The documentation for that is very sparse

0 Karma

manjuase
Explorer

Hi Niketnilay,

Thanks for your valuable answer. it is working fine.. but instead of the below portion

 <panel>
   <table>
     <search>
       <query>$tokSPL$</query>
     </search>  
   </table>
 </panel>

can't we assign this token to dropdown?

That is when the admin role is selected, the result of the query should be populated in the dropdown instead of showing it in a panel.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...