Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is my dynamic input drop-down displaying one comma separated string instead of discrete values?

Hal0n
New Member
‎08-18-2016 11:30 AM

I'm creating a dashboard to help less technical operators evaluate the contents of our indexes so that we can restructure the roles and data access.

This is the source as stands today (the search will be replaced by a report performing the same search once a day):

<form>
  <label>Index Investigation Dashboard</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="index_name" searchWhenChanged="false">
      <label>Index</label>
      <search>
        <query>index=* OR index=_* | stats values(index) AS indexname | eval label=indexname | table indexname, label</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
      <fieldForLabel>label</fieldForLabel>
      <fieldForValue>indexname</fieldForValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Hosts and Sources</title>
        <search>
          <query>index="$index_name$" | eval host_and_source=(host . " | " . source) | stats values(host_and_source) AS "Hosts and Sources"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

What is absolutely driving me crazy right now is the drop-down is a comma separated string of all of the indexes. I'm not getting discrete values to select, I'm getting a great big string of garbage. WHY?!?

0 Karma
Reply

nmulm
Explorer
‎09-21-2017 03:05 AM

Thank you much this was driving me nuts too, mvexpand sorted my query too.

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎08-18-2016 12:19 PM

Try this search instead to populate your dropdown: | tstats count where index=* OR index=_* by index | fields - count | eval label=index

Much faster and with less hair-loss... 😉

And, to actually answer your question: You are getting a comma-separated value list, because of your use of stats values(), which creates a multi-value field. You should be getting the results you want by changing your search to index=* OR index=_* | stats values(index) AS indexname | mvexpand indexname | eval label=indexname. Note that you do not need the table command at the end. It actually only hurts you performance-wise.
I would still use tstats, because it goes against metadata instead of having to sift through buckets.

Reply

Hal0n
New Member
‎08-18-2016 12:45 PM

Still doesn't work 😕

I'm just going to type the static values in, this is costing me too much time already

0 Karma
Reply

abeng33
Engager
‎10-07-2016 12:13 PM

Had the same issue in my form, in one environment the dropdown worked fine with a stats(values) statement, but in a different server environment, the same search produced a comma-separated list. Using mvexpand fixed this for me.

Reply

s2_splunk
Splunk Employee
Splunk Employee
‎08-18-2016 07:45 PM

Fair enough. I did test my | tstats query on a sample dashboard, so I was sure it would work before posting. Let us know if you want to make it dynamic at a later time. Happy to take another look.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...