Dashboards & Visualizations

Why is my dynamic input drop-down displaying one comma separated string instead of discrete values?

Hal0n
New Member

I'm creating a dashboard to help less technical operators evaluate the contents of our indexes so that we can restructure the roles and data access.

This is the source as stands today (the search will be replaced by a report performing the same search once a day):

<form>
  <label>Index Investigation Dashboard</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="index_name" searchWhenChanged="false">
      <label>Index</label>
      <search>
        <query>index=* OR index=_* | stats values(index) AS indexname | eval label=indexname | table indexname, label</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
      <fieldForLabel>label</fieldForLabel>
      <fieldForValue>indexname</fieldForValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Hosts and Sources</title>
        <search>
          <query>index="$index_name$" | eval host_and_source=(host . " | " . source) | stats values(host_and_source) AS "Hosts and Sources"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

What is absolutely driving me crazy right now is the drop-down is a comma separated string of all of the indexes. I'm not getting discrete values to select, I'm getting a great big string of garbage. WHY?!?

0 Karma

nmulm
Explorer

Thank you much this was driving me nuts too, mvexpand sorted my query too.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Try this search instead to populate your dropdown: | tstats count where index=* OR index=_* by index | fields - count | eval label=index

Much faster and with less hair-loss... 😉

And, to actually answer your question: You are getting a comma-separated value list, because of your use of stats values(), which creates a multi-value field. You should be getting the results you want by changing your search to index=* OR index=_* | stats values(index) AS indexname | mvexpand indexname | eval label=indexname. Note that you do not need the table command at the end. It actually only hurts you performance-wise.
I would still use tstats, because it goes against metadata instead of having to sift through buckets.

Hal0n
New Member

Still doesn't work 😕

I'm just going to type the static values in, this is costing me too much time already

0 Karma

abeng33
Engager

Had the same issue in my form, in one environment the dropdown worked fine with a stats(values) statement, but in a different server environment, the same search produced a comma-separated list. Using mvexpand fixed this for me.

s2_splunk
Splunk Employee
Splunk Employee

Fair enough. I did test my | tstats query on a sample dashboard, so I was sure it would work before posting. Let us know if you want to make it dynamic at a later time. Happy to take another look.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...