Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Splunk Drop Down Static Option issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a drop down that gives users to select operating system of choice for results. It has below fields and all are static with respective values.
Static Options
Name, Value
Linux, Linux*
Solaris, Solaris*
Windows Server, Windows Server*
Windows Misc, !=Windows Server* =Windows* (Issues lie here. How to do this for this Windows piece? To have multiple values in this section so it does the filter right). This is working perfectly fine in standalone searches etc. but I want this drop down to work fine with this selection. In this choice, I am skipping Windows Server but including all other Windows like Windows 7, 10 etc
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mbasharat, Assuming the field in the indexed event is called os, please try the following run anywhere example.
You can code Dropdown <change> handler to set the token as per your need.
<form>
<label>Dropdown Static Options</label>
<fieldset submitButton="false">
<input type="dropdown" token="os" searchWhenChanged="true">
<label>Select Operating System</label>
<choice value="Linux">Linux</choice>
<choice value="Solaris">Solaris</choice>
<choice value="Sun">SunOS</choice>
<choice value="WindowsServer">Windows Server</choice>
<choice value="WindowsMisc">Windows Misc</choice>
<change>
<condition value="Linux">
<set token="tokOS">os="*Linux*"</set>
</condition>
<condition value="Solaris">
<set token="tokOS">os="Solaris*"</set>
</condition>
<condition value="Sun">
<set token="tokOS">os="Sun*"</set>
</condition>
<condition value="WindowsServer">
<set token="tokOS">os="Windows Server*"</set>
</condition>
<condition value="WindowsMisc">
<set token="tokOS">os="Windows*" AND os!="Windows Server*"</set>
</condition>
</change>
<default>Linux</default>
<initialValue>Linux</initialValue>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| makeresults
| fields - _time
| eval os="Red Had Linux X.Y.Z,Suse Linux X.Y.Z,SunOS X.Y.Z,Solaris X.Y.Z,Windows Server 2012,Windows Server 2013,Windows 7,Windows 10"
| makemv os delim=","
| mvexpand os
| search $tokOS$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
PS: Something similar can be directly done by moving values <set> inside change event handler to be set directly as static value (however, this will appear as selected value for the dropdown). If you have Submit button in your dashboard and do not want Dropdown token to be set on changing the dropdown value, then you would need to assign the values directly under static option rather than change event.
<form>
<label>Dropdown Static Options Copy</label>
<fieldset submitButton="false">
<input type="dropdown" token="os" searchWhenChanged="true">
<label>Select Operating System</label>
<choice value="os="*Linux*"">Linux</choice>
<choice value="os="Solaris*"">Solaris</choice>
<choice value="os="Sun*"">SunOS</choice>
<choice value="os="Windows Server*"">Windows Server</choice>
<choice value="os="Windows*" AND os!="Windows Server*"">Windows Misc</choice>
<default>os="*Linux*"</default>
<initialValue>os="*Linux*"</initialValue>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| makeresults
| fields - _time
| eval os="Red Had Linux X.Y.Z,Suse Linux X.Y.Z,SunOS X.Y.Z,Solaris X.Y.Z,Windows Server 2012,Windows Server 2013,Windows 7,Windows 10"
| makemv os delim=","
| mvexpand os
| search $os$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
Please try out and confirm!
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mbasharat, Assuming the field in the indexed event is called os, please try the following run anywhere example.
You can code Dropdown <change> handler to set the token as per your need.
<form>
<label>Dropdown Static Options</label>
<fieldset submitButton="false">
<input type="dropdown" token="os" searchWhenChanged="true">
<label>Select Operating System</label>
<choice value="Linux">Linux</choice>
<choice value="Solaris">Solaris</choice>
<choice value="Sun">SunOS</choice>
<choice value="WindowsServer">Windows Server</choice>
<choice value="WindowsMisc">Windows Misc</choice>
<change>
<condition value="Linux">
<set token="tokOS">os="*Linux*"</set>
</condition>
<condition value="Solaris">
<set token="tokOS">os="Solaris*"</set>
</condition>
<condition value="Sun">
<set token="tokOS">os="Sun*"</set>
</condition>
<condition value="WindowsServer">
<set token="tokOS">os="Windows Server*"</set>
</condition>
<condition value="WindowsMisc">
<set token="tokOS">os="Windows*" AND os!="Windows Server*"</set>
</condition>
</change>
<default>Linux</default>
<initialValue>Linux</initialValue>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| makeresults
| fields - _time
| eval os="Red Had Linux X.Y.Z,Suse Linux X.Y.Z,SunOS X.Y.Z,Solaris X.Y.Z,Windows Server 2012,Windows Server 2013,Windows 7,Windows 10"
| makemv os delim=","
| mvexpand os
| search $tokOS$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
PS: Something similar can be directly done by moving values <set> inside change event handler to be set directly as static value (however, this will appear as selected value for the dropdown). If you have Submit button in your dashboard and do not want Dropdown token to be set on changing the dropdown value, then you would need to assign the values directly under static option rather than change event.
<form>
<label>Dropdown Static Options Copy</label>
<fieldset submitButton="false">
<input type="dropdown" token="os" searchWhenChanged="true">
<label>Select Operating System</label>
<choice value="os="*Linux*"">Linux</choice>
<choice value="os="Solaris*"">Solaris</choice>
<choice value="os="Sun*"">SunOS</choice>
<choice value="os="Windows Server*"">Windows Server</choice>
<choice value="os="Windows*" AND os!="Windows Server*"">Windows Misc</choice>
<default>os="*Linux*"</default>
<initialValue>os="*Linux*"</initialValue>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| makeresults
| fields - _time
| eval os="Red Had Linux X.Y.Z,Suse Linux X.Y.Z,SunOS X.Y.Z,Solaris X.Y.Z,Windows Server 2012,Windows Server 2013,Windows 7,Windows 10"
| makemv os delim=","
| mvexpand os
| search $os$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
Please try out and confirm!
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to do the same and have an OR statement in my static options in a multiselect dropdown. when viewing in my search the OR is not showing as a delimiter. I have tried both with and without the delimiter command. Anyone have some advice?:
<input type="multiselect" token="Realm_Name" searchWhenChanged="true">
<label>Select Realm Name:</label>
<fieldForLabel>Realm Name</fieldForLabel>
<fieldForValue>Realm Name</fieldForValue>
<search>
<query>index=twc_acme_pr_realm | dedup "Realm Name" | fields "Realm Name" | sort "Realm Name"</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<delimiter> OR </delimiter>
<choice value="*">*</choice>
<choice value="*comcast*">COMCAST</choice>
<choice value="*impact*">IMPACT</choice>
<choice value="*iqnt* OR "Realm Name"=*nt-*">IQ</choice>
<change>
<condition value="IQ">
<set token="tokRealm_Name">""Realm Name"=*iqnt* <delimiter> OR </delimiter> "Realm Name"="*nt-*" </set>
</condition>
</change>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WIth slight adjustment as per my need, first option worked. THANKS nikenilay!!!! 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mbasharat, what is the field in your indexed data against which you want the above Dropdown value to match? What is your search SPL? Can you share the code for Simple XML Dashboard for Dropdown and its value being used in the search?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi nikenilay,
here it is:
<input type="dropdown" token="os">
<label>Select Operating System</label>
<choice value="*Linux*">Linux</choice>
<choice value="Solaris*">Solaris</choice>
<choice value="Sun*">SunOS</choice>
<choice value="Windows Server*">Windows Server</choice>
**<choice value="=Windows* AND !=Windows Server*">Windows Misc</choice>**
<default>*Linux*</default>
<initialValue>*Linux*</initialValue>
<search>
<query />
</search>
</input>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mbasharat also what is your SPL? What is the server field name in your indexed events where you want to apply $os$ filter?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You mean the Splunk version? It is 6.6.5 and 6.6.6 in two different enviros.
The server fields name in indexed events is (os_name)
Building Reliable Asset and Identity Frameworks in Splunk ES
Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting
Automatic Discovery Part 3: Practical Use Cases
