Dashboards & Visualizations

Why is my dashboard search not getting updated with dropdown selection?

bhumikajpatel
Explorer

Hi,

I am trying to create a dashboard that takes the details from the dropdown (input field) options and then dynamically updates searches.

Options in my dropdown list are also pulled dynamically through search query:
Sample query: sourcetype="sample"|eval env=case(match(host,"AB.*"),"Production", match(host,"ab.*"),"Production", match(host,"CD.*"),"Test", match(host,"cd.*"),"Test", match(host,"EF.*"),"Sales", match(host,"ef.*"),"Sales")

I am then passing token value "env" for the calculated field in "env" from above query to filter the searches. But the search doesn't seems to be changing based on the selection --- Production, Sales, or Test.

I have used dropdowns and tokens options before and they seemed to worked perfectly. But I am not sure if the match of multiple fields in the dropdown query creating a problem to filter the searches based on the selection by user.

Any help on this will be great.

Thanks.

0 Karma
1 Solution

frobinson_splun
Splunk Employee
Splunk Employee

I think I might see the problem, or a place to start troubleshooting. I created a similar dashboard to yours using different data and a very slightly modified query so that I could generate the input values. As pointed out here:
https://answers.splunk.com/answers/329960/duplicate-values-causing-conflict.html

I think there might be an issue with your field for label and field for value settings in the dropdown input. I was getting a "conflicting values" error until I made sure that the field was the same as the token ("env") that was getting set in the query. Here is the relevant part of my sample code that worked.

 <fieldset>
  <input type="time" searchWhenChanged="false">
   <label>Select a time:</label>
   <default>Last 24 hours</default>
 </input>
 <input type="dropdown" token="env" searchWhenChanged="false">
   <label>Environment</label>
   <fieldForLabel>env</fieldForLabel>
   <fieldForValue>env</fieldForValue>
   <search>
     <query>index=_internal | stats count by source |eval env=case(match(source,"metrics.*"),"Metrics", match(source,"license.*"),"License", match(source,"scheduler.*"), "Scheduler") | dedup env | table env</query>
   </search>
   <default>Metrics</default>
 </input>
 <input type="text" token="type" searchWhenChanged="false">
   <label>Request Type</label>
 </input>
 <input type="text" token="type2" searchWhenChanged="false">
   <label>Company</label>
 </input>
  </fieldset>

Hope this helps!

View solution in original post

0 Karma

MohitGevaria
New Member

The reason is your <fieldforvalue> should be strictly equal to your extracted filed value. And env may not be your extracted filed in your search query. 

0 Karma

vegardw
Engager

An old post, but I was just having a similar problem and found a possible work-around. I had a dropdown that was populated by a search, and did some filtering in another search based on the value of the dropdown. The code was simular to these snippets:

<form>
  <fieldset submitButton="false" autoRun="false">
    <input type="dropdown" token="filter" searchWhenChanged="true">
      <showClearButton>false</showClearButton>
      <label>Filter</label>
      <fieldForLabel>filter</fieldForLabel>
      <fieldForValue>filter</fieldForValue>
      <search>
        <query>| inputlookup my_filters</query>
        <earliest>$timepicker.earliest$</earliest>
        <latest>$timepicker.latest$</latest>
      </search>
      <default>$filter$</default>
      <initialValue>value1</initialValue>
    </input>
  </fieldset>

  <search id="base_search">
    <query>index=some_index  some_field=some_value</query>
    <earliest>$timepicker.earliest$</earliest>
    <latest>$timepicker.latest$</latest>
  </search>

  <search id="base_filters" base="base_search">
    <query>| search filter="$filter$"</query>
  </search>
</form>

The first time I changed the dropdown, the token and the search wasn't updated. If I changed it a second time, it did update, and any changes after that worked as expected.

As I have created some HTML dashboards as well, I knew about the default and submitted token model for HTML dashboards (http://dev.splunk.com/view/webframework-developapps/SP-CAAAEW2), and found this page: https://answers.splunk.com/answers/521964/how-to-reference-token-namespaces-in-simplexml.html

I then changed my search to use $default:filter$ instead of $filter$, and the search now updates the first time the dropdown is changed:

  <search id="base_filters" base="base_search">
    <query>| search filter="$default:filter$"</query>
  </search>
0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

I think I might see the problem, or a place to start troubleshooting. I created a similar dashboard to yours using different data and a very slightly modified query so that I could generate the input values. As pointed out here:
https://answers.splunk.com/answers/329960/duplicate-values-causing-conflict.html

I think there might be an issue with your field for label and field for value settings in the dropdown input. I was getting a "conflicting values" error until I made sure that the field was the same as the token ("env") that was getting set in the query. Here is the relevant part of my sample code that worked.

 <fieldset>
  <input type="time" searchWhenChanged="false">
   <label>Select a time:</label>
   <default>Last 24 hours</default>
 </input>
 <input type="dropdown" token="env" searchWhenChanged="false">
   <label>Environment</label>
   <fieldForLabel>env</fieldForLabel>
   <fieldForValue>env</fieldForValue>
   <search>
     <query>index=_internal | stats count by source |eval env=case(match(source,"metrics.*"),"Metrics", match(source,"license.*"),"License", match(source,"scheduler.*"), "Scheduler") | dedup env | table env</query>
   </search>
   <default>Metrics</default>
 </input>
 <input type="text" token="type" searchWhenChanged="false">
   <label>Request Type</label>
 </input>
 <input type="text" token="type2" searchWhenChanged="false">
   <label>Company</label>
 </input>
  </fieldset>

Hope this helps!

0 Karma

bhumikajpatel
Explorer

Hi,

Thanks for the prompt response.
Sorry, probably I had pasted the incorrect XML. Following is in the XML. I am not getting any error related to duplicate values.

Can you share with me the XML code in which you are referring (or calling) "env" token?

  <label>Environment</label>
  <fieldForLabel>env</fieldForLabel>
  <fieldForValue>env</fieldForValue>
  <search>
    <query>sourcetype="sample"|eval env=case(match(host,"AB.*"),"Production", match(host,"ab.*"),"Production", match(host,"CD.*"),"Test", match(host,"cd.*"),"Test", match(host,"EF.*"),"Sales", match(host,"ef.*"),"Sales") | dedup env | table env</query>
  </search>

Thanks again.

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Try setting "searchWhenChanged" to "true" in your dropdown to respond to a selection.

<input type="dropdown" token="env" searchWhenChanged="true">
   <label>Environment</label>
   <fieldForLabel>env</fieldForLabel>
   <fieldForValue>env</fieldForValue>
   <search>
     <query>index=_internal | stats count by source |eval env=case(match(source,"metrics.*"),"Metrics", match(source,"license.*"),"License", match(source,"scheduler.*"), "Scheduler") | dedup env | table env</query>
   </search>
   <default>Metrics</default>
 </input>
0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

@bhumikajpatel, did this solve your dashboard issue? If so, please accept the answer. If not, please post an update. Thanks!

0 Karma

bhumikajpatel
Explorer

Hi,
No it didn't and I have tried every possible method to solve the problem.

The dropdown list works fine. But may be because of the dropdown values are searched dynamically or because the search string has match function the resultant sub search is not getting updated when value is selected from dropdown list.

I am not an expert with dashboards but is there any different way to use tokens for eval fields ? I am creating an eval field in the search query of my dropdown list.

Thanks.

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Hi @bhumikajpatel,
Thanks for the update. Here are a couple of suggestions.
1) Have you tried changing "searchWhenChanged" to "true" in your other inputs?
2) I'm not clear on how the other panels are set up to respond to the "env" token being set. I'm also not sure how setting the other tokens ("type" and "type2") triggers changes to those panels.

Here are some documentation links that might help:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/tokens
http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/FormEditor
http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/Buildandeditforms
http://docs.splunk.com/Documentation/Splunk/6.5.1612/Viz/PanelreferenceforSimplifiedXML#condition_.2...

To get more in-depth troubleshooting and advice, I'd recommend contacting Support:
Customer support contact info:
http://www.splunk.com/view/contact-us/SP-CAAAHJ6
 

0 Karma

bhumikajpatel
Explorer

Thanks.

Let me try referring these documents.
Yes, I have tried setting searchWhenChanged to "true"
But it didn't work.

0 Karma

bhumikajpatel
Explorer

Hi,

I am not very sure what the problem was but I was able to fix this issue by making the dropdown list with static options instead of dynamic search.

And then appended the following query in the subsequent search queries to update the dashboard:

sourcetype="sample"|eval env=case(match(host,"AB.*"),"Production", match(host,"ab.*"),"Production", match(host,"CD.*"),"Test", match(host,"cd.*"),"Test", match(host,"EF.*"),"Sales", match(host,"ef.*"),"Sales") | where env = "$env$" | ... <>

"$env$" is the token created from static dropdown list.

With this workaround my dashboard is updating the data correctly.

Thanks for all your help

frobinson_splun
Splunk Employee
Splunk Employee

Ah, glad to hear you figured it out! Good work 🙂

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Hi @bhumikajpatel,
Can you post your dashboard Simple XML source code? This would help with troubleshooting, as there might be an issue somewhere in the dashboard with how the other panels and searches are "listening" for this change.

0 Karma

bhumikajpatel
Explorer

Hi,

Thanks for the prompt response.

Below is the XML code. Please be noted that the one highlighted in bold is experimental... ()

Report
usage

<input type="time" searchWhenChanged="false">
  <label>Select a time:</label>
  <default>Last 24 hours</default>
</input>
<input type="dropdown" token="environment" searchWhenChanged="false">
  <label>Environment</label>
  <fieldForLabel>environment</fieldForLabel>
  <fieldForValue>environment</fieldForValue>
  <search>
    <query>sourcetype="sample"|eval env=case(match(host,"AB.*"),"Production", match(host,"ab.*"),"Production", match(host,"CD.*"),"Test", match(host,"cd.*"),"Test", match(host,"EF.*"),"Sales", match(host,"ef.*"),"Sales") | dedup env | table env</query>
  </search>
  <default>Production</default>
</input>
<input type="text" token="type" searchWhenChanged="false">
  <label>Request Type</label>
</input>
<input type="text" token="type2" searchWhenChanged="false">
  <label>Company</label>
</input>


<panel depends="$env$">
  <title></title>
  <table>
    <search>
      <query>sourcetype="sample" $env$....</query>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">20</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">row</option>
    <drilldown>
      <!-- Use set to specify the new token to be created.
                 Use any token from the page or from the click event to produce the value needed. -->
      <set token="type">$row.type$</set>
      <!-- If we also set the form.sourcetype the input will get updated too -->
      <set token="form.type">$row.type$</set>
    </drilldown>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
  </table>
</panel>


**<panel depends="$type$,$env$">**
  <title></title>
  <table>
    <search>
      <query>sourcetype="perf_log_bizx" $env$|....</query>
      <sampleRatio>1</sampleRatio>
    </search>
    <format type="color" field="field1">
      <colorPalette type="list">[#FFFF99,#3CB371,#F08080]</colorPalette>
      <scale type="threshold">2,6,10000</scale>
    </format>
    <format type="color" field="field2">
      <colorPalette type="list">[#FFFF99,#3CB371,#F08080]</colorPalette>
      <scale type="threshold">2,6,10000</scale>
    </format>
    <format type="number" field="field3">
      <option name="precision">0</option>
      <option name="useThousandSeparators">true</option>
    </format>
    <option name="count">20</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">row</option>
    <drilldown>
      <!-- Use set to specify the new token to be created.
                 Use any token from the page or from the click event to produce the value needed. -->
      <set token="type2">$row.type2$</set>
      <!-- If we also set the form.sourcetype the input will get updated too -->
      <set token="form.type2">$row.type2$</set>
    </drilldown>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
  </table>
</panel>
<panel depends="$type2$,$env$">
  <title></title>
  <table>
    <search>
      <query>sourcetype="perf_log_bizx" $env$|....</query>
      <sampleRatio>1</sampleRatio>
    </search>
    <format type="color" field="field1)">
      <colorPalette type="list">[#FFFF99,#3CB371,#F08080]</colorPalette>
      <scale type="threshold">2,6,10000</scale>
    </format>
    <format type="color" field="field2">
      <colorPalette type="list">[#FFFF99,#3CB371,#F08080]</colorPalette>
      <scale type="threshold">2,6,10000</scale>
    </format>
    <format type="number" field="field3">
      <option name="precision">0</option>
      <option name="useThousandSeparators">true</option>
    </format>
    <option name="count">20</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
  </table>
</panel>
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...