Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How to set a token based on drop down values
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I have one drop down(dropdown1) which will display the current user logged into splunk using the below query.
|rest splunk_server=local /services/authentication/current-context
And i have another dropdown (dropdown2) which should display the values based on the value on dropdown1
that is if dropdown1 is having admin then dropdown 2 should run a query1 and display values in the dropdown2, if dropdown1 having users other than admin dropdown2 should run a query2 and display values in the dropdown2..
Over all my expectation is can we run a two different query for a same dropdown based on the value chosen in dropdown1.
p.s: dropdown1 will be having only one username since it is showing current user logged in.
please help me out on this. Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@manjuase in order for the community to assist you better please add more details like what is the code you are using and what is the data on which you are planning to work on. Based on the description seems like the REST API query gives you roles in a dropdown from where you want to run one of the two SPLs i.e. If selected role is admin, run SPL 1 otherwise run SPL2. Please find below a sample dashboard which implements the same.
Following snipped checked for selected dropdown value as admin and sets the first SPL as a token. Otherwise it sets a different SPL as the same token tokSPL to be used in actual search query.
<change>
<condition value="admin">
<set token="tokSPL">| makeresults
| fields - _time
| eval selectedRole="Admin Role: $value$"</set>
</condition>
<condition>
<set token="tokSPL">| makeresults
| fields - _time
| eval selectedRole="Some Other Role: $value$"</set>
</condition>
</change>
Following is the run anywhere Simple XML dashboard example:
<form>
<label>Dropdown based SPL</label>
<fieldset submitButton="false">
<input type="dropdown" token="field1">
<label>field1</label>
<fieldForLabel>roles</fieldForLabel>
<fieldForValue>roles</fieldForValue>
<search>
<query>| rest splunk_server=local /services/authentication/current-context
| fields roles
| mvexpand roles
| dedup roles</query>
</search>
<change>
<condition value="admin">
<set token="tokSPL">| makeresults
| fields - _time
| eval selectedRole="Admin Role: $value$"</set>
</condition>
<condition>
<set token="tokSPL">| makeresults
| fields - _time
| eval selectedRole="Some Other Role: $value$"</set>
</condition>
</change>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>$tokSPL$</query>
</search>
</table>
</panel>
</row>
</form>
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@manjuase in order for the community to assist you better please add more details like what is the code you are using and what is the data on which you are planning to work on. Based on the description seems like the REST API query gives you roles in a dropdown from where you want to run one of the two SPLs i.e. If selected role is admin, run SPL 1 otherwise run SPL2. Please find below a sample dashboard which implements the same.
Following snipped checked for selected dropdown value as admin and sets the first SPL as a token. Otherwise it sets a different SPL as the same token tokSPL to be used in actual search query.
<change>
<condition value="admin">
<set token="tokSPL">| makeresults
| fields - _time
| eval selectedRole="Admin Role: $value$"</set>
</condition>
<condition>
<set token="tokSPL">| makeresults
| fields - _time
| eval selectedRole="Some Other Role: $value$"</set>
</condition>
</change>
Following is the run anywhere Simple XML dashboard example:
<form>
<label>Dropdown based SPL</label>
<fieldset submitButton="false">
<input type="dropdown" token="field1">
<label>field1</label>
<fieldForLabel>roles</fieldForLabel>
<fieldForValue>roles</fieldForValue>
<search>
<query>| rest splunk_server=local /services/authentication/current-context
| fields roles
| mvexpand roles
| dedup roles</query>
</search>
<change>
<condition value="admin">
<set token="tokSPL">| makeresults
| fields - _time
| eval selectedRole="Admin Role: $value$"</set>
</condition>
<condition>
<set token="tokSPL">| makeresults
| fields - _time
| eval selectedRole="Some Other Role: $value$"</set>
</condition>
</change>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>$tokSPL$</query>
</search>
</table>
</panel>
</row>
</form>
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I do this in Dashboard Studio JSON configuration? The documentation for that is very sparse
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Niketnilay,
Thanks for your valuable answer. it is working fine.. but instead of the below portion
<panel>
<table>
<search>
<query>$tokSPL$</query>
</search>
</table>
</panel>
can't we assign this token to dropdown?
That is when the admin role is selected, the result of the query should be populated in the dropdown instead of showing it in a panel.
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
