Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Dashboards & Visualizations
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Select last week as default in the dropdown
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nabeel652
Builder
07-25-2024
09:50 PM
Hello Splunkers
I have a dropdown that calculates week_start for the last whole year. Then it has to pick "last_week" as default. I noticed that the dropdown, instead of remembering the label, adds the value to <default></default>
I've tried to calculate last_week as a token and added to <default></default>, which it picks up correctly. But shows the epoch time in the dropdown instead of selecting the corresponding label "Last Week".
Code for defining the dropdown search and initialising the token $last_week$:
<fieldset submitButton="false">
<input type="dropdown" token="week">
<label>week</label>
<fieldForLabel>time</fieldForLabel>
<fieldForValue>start_time</fieldForValue>
<search>
<query>| makeresults count=52
| fields - _time
| streamstats count
| eval count=count-1
| eval start_time = relative_time(now(),"-".count."w@w+1d")
| eval time = case(count==1, "Last week", count==0, "Current week", 1==1, strftime(start_time,"%a %d-%b-%Y"))
| table time, start_time
| eval start_time=round(start_time,0)</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<default>$last_week$</default>
<initialValue>$last_week$</initialValue>
</input>
</fieldset>
-- The token initialisation that calculates last week wrt now():
<init>
<eval token="last_week">relative_time(now(),"-1w@w+1d")</eval>
</init>
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bowesmana
SplunkTrust
07-25-2024
11:25 PM
@nabeel652 You don't really need the tokens, just add the selectFirstChoice option and make sure last week is sorted first and it will all work, see this dashboard example
<form version="1.1" theme="light">
<label>LastWeek</label>
<fieldset submitButton="false">
<input type="dropdown" token="week">
<label>week</label>
<fieldForLabel>time</fieldForLabel>
<fieldForValue>start_time</fieldForValue>
<selectFirstChoice>1</selectFirstChoice>
<search>
<query>| makeresults count=52
| fields - _time
| streamstats count
| eval count=count-1
| eval start_time = relative_time(now(),"-".count."w@w+1d")
| eval time = case(count==1, "Last week", count==0, "Current week", 1==1, strftime(start_time,"%a %d-%b-%Y"))
| eval order=if(count=1, -1, count)
| sort order
| table time, start_time
| eval start_time=round(start_time,0)
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<change>
<set token="week_name">$label$</set>
</change>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| makeresults
| fields - _time
| eval selection=$week|s$, name=$week_name|s$
| eval Value=strftime(selection, "%F %T")</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>@
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bowesmana
SplunkTrust
07-25-2024
11:25 PM
@nabeel652 You don't really need the tokens, just add the selectFirstChoice option and make sure last week is sorted first and it will all work, see this dashboard example
<form version="1.1" theme="light">
<label>LastWeek</label>
<fieldset submitButton="false">
<input type="dropdown" token="week">
<label>week</label>
<fieldForLabel>time</fieldForLabel>
<fieldForValue>start_time</fieldForValue>
<selectFirstChoice>1</selectFirstChoice>
<search>
<query>| makeresults count=52
| fields - _time
| streamstats count
| eval count=count-1
| eval start_time = relative_time(now(),"-".count."w@w+1d")
| eval time = case(count==1, "Last week", count==0, "Current week", 1==1, strftime(start_time,"%a %d-%b-%Y"))
| eval order=if(count=1, -1, count)
| sort order
| table time, start_time
| eval start_time=round(start_time,0)
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<change>
<set token="week_name">$label$</set>
</change>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| makeresults
| fields - _time
| eval selection=$week|s$, name=$week_name|s$
| eval Value=strftime(selection, "%F %T")</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>@
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
scelikok
SplunkTrust
07-25-2024
11:10 PM
Hi @nabeel652,
You should use valid values from the dropdown contents as default and initial settings. Changing last_week token init to formatted value will help you, please try below;
<fieldset submitButton="false">
<input type="dropdown" token="week">
<label>week</label>
<fieldForLabel>time</fieldForLabel>
<fieldForValue>start_time</fieldForValue>
<search>
<query>| makeresults count=52
| fields - _time
| streamstats count
| eval count=count-1
| eval start_time = relative_time(now(),"-".count."w@w+1d")
| eval time = case(count==1, "Last week", count==0, "Current week", 1==1, strftime(start_time,"%a %d-%b-%Y"))
| table time, start_time
| eval start_time=round(start_time,0)</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<default>$last_week$</default>
<initialValue>$last_week$</initialValue>
</input>
</fieldset>
-- The token initialisation that calculates last week wrt now():
<init>
<eval token="last_week">strftime(relative_time(now(),"-1w@w+1d"),"%a %d-%b-%Y")</eval>
</init>
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
Announcing Modern Navigation: A New Era of Splunk User Experience
We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...
