dropdown not working

splunkpoornima · ‎12-04-2012

hi

using the below code i created three dropdowns if i select the index name in first dropdown it shows the sourcetypes in that index in the second dropdown .

upto this its working fine:)

my problem is if i select the sourcetype in that second dropdown i want to list of the sources for the sourcetype i have selected in the second dropdown ..but it shows all sources

this is codei used

<module name="SearchSelectLister" layoutPanel="panel_row3_col1" group="Drilldowns - 3">
  <param name="label">which index</param>
  <param name="settingToCreate">index_setting</param>
  <param name="search">| eventcount summarize=false index=* | search index!="splunklogger" index!="summary" index!="history" | sort -index</param>
  <param name="searchWhenChanged">True</param>
  <param name="selected">main</param>
  <param name="searchFieldsToDisplay">
    <list>
      <param name="label">index</param>
      <param name="value">index</param>
    </list>
  </param>
  <module name="ConvertToIntention">
    <param name="settingToConvert">index_setting</param>
    <param name="intention">
      <param name="name">stringreplace</param>
      <param name="arg">
        <param name="index">
          <param name="fillOnEmpty">True</param>
          <param name="prefix">index=</param>
          <param name="value">$target$</param>
        </param>
      </param>
    </param>
    <module name="SearchSelectLister">
      <param name="label">Sourcetype</param>
      <param name="settingToCreate">sourcetype_setting</param>
      <param name="search">| metadata type="sourcetypes" $index$</param>
      <param name="applyOuterIntentionsToInternalSearch">True</param>
      <param name="searchFieldsToDisplay">
        <list>
          <param name="label">sourcetype</param>
          <param name="value">sourcetype</param>
        </list>
      </param>

      <module name="ConvertToIntention">
        <param name="settingToConvert">sourcetype_setting</param>
        <param name="intention">
          <param name="name">stringreplace</param>
          <param name="arg">
            <param name="sourcetype">
              <param name="fillOnEmpty">True</param>
              <param name="prefix">sourcetype=</param>
              <param name="value">$target$</param>
            </param>
          </param>
        </param>
        <module name="SearchSelectLister">
          <param name="label">Source</param>
          <param name="settingToCreate">source_setting</param>
          <param name="search">| metadata type="sources" $index$ $sourcetype$ </param>
          <param name="applyOuterIntentionsToInternalSearch">True</param>
          <param name="searchFieldsToDisplay">
            <list>
              <param name="label">source</param>
              <param name="value">source</param>
            </list>
          </param>
          <module name="HiddenSearch">
            <param name="search">$index$ $sourcetype$ $source$</param>
            <module name="ConvertToIntention">
              <param name="settingToConvert">source_setting</param>
              <param name="intention">
                <param name="name">stringreplace</param>
                <param name="arg">
                  <param name="source">
                    <param name="fillOnEmpty">True</param>
                    <param name="prefix">source=</param>
                    <param name="value">$target$</param>
                  </param>
                </param>
              </param>

this the output i am getting

thanks!!!

splunkpoornima · ‎12-05-2012

hi sruthy,

i got the same error as above

sruthy · ‎12-05-2012

why cant u try this
$index$ $sourcetype$ |top source

splunkpoornima · ‎12-05-2012

hi smolcj,

ii tried with the sample codeyou had given ..but still i am getting the error as below

sideview · ‎12-05-2012

The fundamental problem here is that while the metadata command can accept an "index" argument, and it will return only the sourcetypes, sources and hosts for that index, the index field is unique in this respect. meaning that the metadata command is not able to filter the list of sources to be just those that match a single sourcetype, or host etc. and likewise for all combinations. The only one that works is the index=foo argument.

Why the command allows you to type "sourcetype=foobarbaz" without giving some error here, I'm not sure. Note that you can run | metadata type="sources" index=main sourcetype=nonexistent source=also_nonexistent fred=mildred and it will happily give you all of the sources back as though you had only passed the index term...

Anyway, you can of course get the correct matching sources by running the actual search against the index, but since you'd have to get every event off of disk for that index and sourcetype, this can be extremely expensive and for that reason it's probably not practical to do so.

Incidentally, if you use more than two SearchSelectListers you can hit some confusion where the intentions actually get consumed by the lister modules, so you have to re-convert an intention that you already converted further upstream. You may consider switching to Sideview Utils because a) no intentions any more, b) no listers any more, c) lots of great new modules to use, and d) it makes the advanced XML far easier to deal with.

For example, here's the same view written out using Sideview modules:

<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
  <param name="search">| eventcount summarize=false index=* | search index!="splunklogger" index!="summary" index!="history" | sort -index</param>

  <module name="Pulldown">
    <param name="name">index</param>
    <param name="label">Index</param>
    <param name="valueField">index</param>
    <param name="template">index="$value$"</param>

    <module name="Search">
      <param name="search">| metadata type="sourcetypes" $index$</param>

      <!-- you can use $name$ as internal shorthand for your name param -->
      <module name="Pulldown">
        <param name="name">sourcetype</param>
        <param name="label">Sourcetype</param>
        <param name="valueField">$name$</param>
        <param name="template">$name$="$value$"</param>

        <module name="Search">
          <param name="search">| metadata type="sources" $index$ $sourcetype$</param>

          <module name="Pulldown">
            <param name="name">source</param>
            <param name="label">Source</param>
            <param name="valueField">$name$</param>
            <param name="template">$name$="$value$"</param>

            <module name="Search">
              <param name="search">$index$ $sourcetype$ $source$ | head 100</param>

              <module name="Pager">
                <module name="EventsViewer"></module>
              </module>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

Note that while this example dispatches the correct searches, it still suffers from the problem that you're reporting - simply because the metadata command ignores the source and sourcetype arguments. Nonetheless I thought I'd provide the syntax so you can see how much easier it is to deal with.

You can get the latest Sideview Utils only from the Sideview site http://sideviewapps.com/apps/sideview-utils/ , the latest version is 2.2.8, and it's free for internal use.

dropdown not working

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!