Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Create Dynamic Dropdown Inputs at Search Results within a Form (Version 6.3.3)

_gkollias
Builder
‎10-04-2016 07:24 AM

Hi,

I’m looking for a way to add dropdown inputs to the search results of a form.

I’m looking for something where the inputs are based on the initial selection from the form (so there are 6 options to choose, and each option displays different field values).

Here is a small sample of the current form:

<form>
  <searchTemplate>
    <![CDATA[ `$tkn_search$` $tkn$ $tkn$ $tkn$ $tkn$ $tkn$ $tkn$ $tkn$
     | `$tkn_transaction_search$`]]>
  </searchTemplate>
  <fieldset autoRun="false" submitButton="true">
    <input type="dropdown" searchWhenChanged="false" token="tkn_search">
      <choice value="search_a">A</choice>
      <choice value="search_b">B</choice>
      <choice value="search_c">C</choice>
      <choice value="search_d">D</choice>
      <choice value="search_e">E</choice>
      <choice value="search_f">F</choice>
      <change>
        <!-- http://docs.splunk.com/Documentation/Splunk/6.4.2/Viz/EventHandlerReference#Condition_element -->
        <condition label="A">
          <set token="tkn_transaction_search">txn_a</set>
        </condition>
        <condition label="B">
          <set token="tkn_transaction_search">txn_b</set>
        </condition>
        <condition label="C">
          <set token="tkn_transaction_search">txn_c</set>
        </condition>
        <condition label="D">
          <set token="tkn_transaction_search">txn_d</set>
        </condition>
        <condition label="E">
          <set token="tkn_transaction_search">txn_e</set>
        </condition>
        <condition label="F">
          <set token="tkn_transaction_search">txn_f</set>
        </condition>
      </change>
    </input>
<various_inputs> </various_inputs>
    <input type="time" searchWhenChanged="false">
      <label>Select time:</label>
      <default>
        <earliestTime>@d</earliestTime>
        <latestTime>now</latestTime>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table id="results">
        <title>Your Results</title>
      </table>
    </panel>
  </row>
</form>

Any point of direction within the docs or sample code would be greatly appreciated.

0 Karma
Reply

rjthibod
Champion
‎10-04-2016 11:30 AM

There are a couple of ways of doing the kind of thing you want. One is simpler and requires more inputs, another is more complex and may not work in all cases but will reduce the number of inputs.

The first thing to know is how to use the depends= and rejects= settings on the <input> elements. You can hide or show elements of the dashboards using the tokens you are setting by referencing the tokens in the depends= and rejects= settings. For example, the following dropdown only appears when token_A and token_B are defined to some value and token_C is undefined. More details here: http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/PanelreferenceforSimplifiedXML

<input searchWhenChanged="true" token="split_field" type="dropdown" depends="$token_A$,$token_B$" rejects="$token_C$">
      <label>Split-by Field</label>
      <choice value="user">User</choice>
      <choice value="host">Host</choice>
      <choice value="domain">Domain</choice>
      <default>domain</default>
</input

So you should be able to see a way to combine tokens in a logical fashion to determine which ones are used or not. The number of combinations of inputs and what values to show in those inputs will determine how complex this gets. The other thing that will determine how complex is if you want certain values to appear in the second-level inputs based on searches that populate those values. I can't really spell a simple example here, but just be sure you test everything out.

0 Karma
Reply

_gkollias
Builder
‎10-04-2016 12:16 PM

rjthibod,

Interesting! I'll play around with this and let you know how it goes.

Thanks!

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎10-05-2016 07:53 AM

Also @KolGr001, if still stuck by the time we do office hours again, we can work through this. In the interim, please check out the latest docs as you might notice that some of the simple xml tags you were using have been superseded by newer versions that are easier to use. If you end up nailing this then go ahead and accept @rjthibod's answer?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...