Getting Data In

How to get a default value and assign all values to "All" in a drop-down from a CSV file input?

Laya123
Communicator

Hi,

I am getting 2 issues when I am creating a dashboard.

  1. I have 2 multiselect drop-downs. If I select a value from the first drop-down, based on the value selected, I want a default value to be assigned to the second drop-down. Example: My first drop-down has A,B,C,D,E,F and all these values have a status. I have these statuses in the second drop-down like A-Success, A-Failure, A-Disabled same as B-Success, B-Failure, B-Disabled, so I have the status for all values of the first drop-down. What I want is if I select 'A' from the first drop-down, I want the default value for the second drop-down to be A-Success. If I select 'B' from the first drop-down, I want the default value for the second drop-down to be B-Success, and the same for all other values.

  2. My second issue is I want an 'All' option in my drop-down list. If I select 'All', it has to give the report for all values listed in the drop-down. My input for this dashboard is a CSV file, so that is the reason I am unable to use *.

<choice value="*">All</choice> this is not working because I am using csv file for this dashboard.

Can any one help me to do the above 2 issues

My XML code is

<form>
  <label>Weeklies</label>
  <description>Weeklies</description>
  <fieldset submitButton="false" autoRun="false">
    <input type="dropdown" token="StartDay1" searchWhenChanged="true">
      <label>From</label>
      <choice value="*">All</choice>
      <search>
        <query>|inputlookup _AADaily.csv |eval _time=strptime(Starttime,"%m/%d/%Y %H:%M:%S.%3N")|eval Start_Day = strftime(_time,"%d")|stats dc(Start_Day) by Start_Day</query>
      </search>
      <fieldForLabel>Start_Day</fieldForLabel>
      <fieldForValue>Start_Day</fieldForValue>
    </input>
    <input type="dropdown" token="StartDay2" searchWhenChanged="true">
      <label>To</label>
      <choice value="*">All</choice>
      <search>
        <query>|inputlookup _AADaily.csv |eval _time=strptime(Starttime,"%m/%d/%Y %H:%M:%S.%3N")|eval Start_Day = strftime(_time,"%d")|stats dc(Start_Day) by Start_Day</query>
      </search>
      <fieldForLabel>Start_Day</fieldForLabel>
      <fieldForValue>Start_Day</fieldForValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <input type="multiselect" token="AAType1" searchWhenChanged="False">
        <label>Act Type</label>
        <search>
          <query>|inputlookup _AADaily.csv |stats count by AAtype</query>
        </search>
        <fieldForLabel>ActType</fieldForLabel>
        <fieldForValue>AAtype</fieldForValue>
        <default>Publish</default>
        <prefix>(</prefix>
        <valuePrefix>AAtype ="</valuePrefix>
        <valueSuffix>"</valueSuffix>
        <delimiter> OR </delimiter>
        <suffix>)</suffix>
      </input>
      <input type="multiselect" token="Status1" searchWhenChanged="true">
        <label>Status</label>
        <search>
          <query>|inputlookup _AADaily.csv|where ($AAType1$) AND (Status!="Failed" AND Status!="Disabled") |stats count by Status</query>
        </search>
        <fieldForLabel>Status</fieldForLabel>
        <fieldForValue>Status</fieldForValue>
        <prefix>(</prefix>
        <valuePrefix>Status ="</valuePrefix>
        <valueSuffix>"</valueSuffix>
        <delimiter> OR </delimiter>
        <suffix>)</suffix>
      </input>
      <chart>
        <title>Averagetime</title>
        <search>
          <query>|inputlookup _AADaily.csv |eval _time=strptime(Starttime,"%m/%d/%Y %H:%M:%S.%3N")|eval Start_Day = strftime(_time,"%d")|where Start_Day>=$StartDay1$ AND Start_Day<=$StartDay2$ |where ($AAType1$) AND ($Status1$) |chart avg(Total_TimeSec) AS "Avg_Total_ActTime" over ServerName by AAtype</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
</row>
</form>

Thanks in advance

Tags (4)
0 Karma
1 Solution

Laya123
Communicator

Hi,

I got the solution for my query;

Weeklies
Weeklies

<input type="dropdown" token="StartDay1" searchWhenChanged="true">
  <label>From</label>
  <choice value="*">All</choice>
  <search>
    <query>|inputlookup _AADaily.csv |eval _time=strptime(Starttime,"%m/%d/%Y %H:%M:%S.%3N")|eval Start_Day = strftime(_time,"%d")|stats dc(Start_Day) by Start_Day</query>
  </search>
  <fieldForLabel>Start_Day</fieldForLabel>
  <fieldForValue>Start_Day</fieldForValue>
</input>
<input type="dropdown" token="StartDay2" searchWhenChanged="true">
  <label>To</label>
  <choice value="*">All</choice>
  <search>
    <query>|inputlookup _AADaily.csv |eval _time=strptime(Starttime,"%m/%d/%Y %H:%M:%S.%3N")|eval Start_Day = strftime(_time,"%d")|stats dc(Start_Day) by Start_Day</query>
  </search>
  <fieldForLabel>Start_Day</fieldForLabel>
  <fieldForValue>Start_Day</fieldForValue>
</input>


<panel>
  <input type="multiselect" token="AAType1" searchWhenChanged="false">
    <label>Activation_Type</label>
    <default>"AAtype=""Activate"" OR AAtype=""Publish"" OR AAtype=""Launch"""</default>
    <choice value="AAtype=&quot;Activate&quot; OR AAtype=&quot;Publish&quot; OR AAtype=&quot;Launch&quot;">All</choice>
    <choice value="AAtype=&quot;Activate&quot;">Activate</choice>
    <choice value="AAtype=&quot;Publish&quot;">Publish</choice>
    <choice value="AAtype=&quot;Launch&quot;">Launch</choice>
  </input>
  <input type="multiselect" token="Status1" searchWhenChanged="true">
    <label>Status</label>
    <choice value="Status=&quot;Activated&quot; OR Status=&quot;Published&quot; OR Status=&quot;Launched&quot;">All</choice>
    <choice value="Status=&quot;Activated&quot;">Activated</choice>
    <choice value="Status=&quot;Published&quot;">Published</choice>
    <choice value="Status=&quot;Launched&quot;">Launched</choice>
    <default>"Status=""Activated"" OR Status=""Published"" OR Status=""Launched"""</default>
  </input>
  <chart>
    <title>Averagetime</title>
    <search>
      <query>|inputlookup _AADaily.csv |eval _time=strptime(Starttime,"%m/%d/%Y %H:%M:%S.%3N")|eval Start_Day = strftime(_time,"%d")|where Start_Day>=$StartDay1$ AND Start_Day<=$StartDay2$ |where ($AAType1$) AND ($Status1$) |chart eval(round(avg(Total_TimeSec),2)) AS "Avg_Total_ActivationTime" over ServerName by AAtype</query>
      <earliest>0</earliest>
      <latest></latest>
    </search>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">false</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">column</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">right</option>
  </chart>

Thank you

View solution in original post

Laya123
Communicator

Hi,

I got the solution for my query;

Weeklies
Weeklies

<input type="dropdown" token="StartDay1" searchWhenChanged="true">
  <label>From</label>
  <choice value="*">All</choice>
  <search>
    <query>|inputlookup _AADaily.csv |eval _time=strptime(Starttime,"%m/%d/%Y %H:%M:%S.%3N")|eval Start_Day = strftime(_time,"%d")|stats dc(Start_Day) by Start_Day</query>
  </search>
  <fieldForLabel>Start_Day</fieldForLabel>
  <fieldForValue>Start_Day</fieldForValue>
</input>
<input type="dropdown" token="StartDay2" searchWhenChanged="true">
  <label>To</label>
  <choice value="*">All</choice>
  <search>
    <query>|inputlookup _AADaily.csv |eval _time=strptime(Starttime,"%m/%d/%Y %H:%M:%S.%3N")|eval Start_Day = strftime(_time,"%d")|stats dc(Start_Day) by Start_Day</query>
  </search>
  <fieldForLabel>Start_Day</fieldForLabel>
  <fieldForValue>Start_Day</fieldForValue>
</input>


<panel>
  <input type="multiselect" token="AAType1" searchWhenChanged="false">
    <label>Activation_Type</label>
    <default>"AAtype=""Activate"" OR AAtype=""Publish"" OR AAtype=""Launch"""</default>
    <choice value="AAtype=&quot;Activate&quot; OR AAtype=&quot;Publish&quot; OR AAtype=&quot;Launch&quot;">All</choice>
    <choice value="AAtype=&quot;Activate&quot;">Activate</choice>
    <choice value="AAtype=&quot;Publish&quot;">Publish</choice>
    <choice value="AAtype=&quot;Launch&quot;">Launch</choice>
  </input>
  <input type="multiselect" token="Status1" searchWhenChanged="true">
    <label>Status</label>
    <choice value="Status=&quot;Activated&quot; OR Status=&quot;Published&quot; OR Status=&quot;Launched&quot;">All</choice>
    <choice value="Status=&quot;Activated&quot;">Activated</choice>
    <choice value="Status=&quot;Published&quot;">Published</choice>
    <choice value="Status=&quot;Launched&quot;">Launched</choice>
    <default>"Status=""Activated"" OR Status=""Published"" OR Status=""Launched"""</default>
  </input>
  <chart>
    <title>Averagetime</title>
    <search>
      <query>|inputlookup _AADaily.csv |eval _time=strptime(Starttime,"%m/%d/%Y %H:%M:%S.%3N")|eval Start_Day = strftime(_time,"%d")|where Start_Day>=$StartDay1$ AND Start_Day<=$StartDay2$ |where ($AAType1$) AND ($Status1$) |chart eval(round(avg(Total_TimeSec),2)) AS "Avg_Total_ActivationTime" over ServerName by AAtype</query>
      <earliest>0</earliest>
      <latest></latest>
    </search>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">false</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">column</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">right</option>
  </chart>

Thank you

savithamr
Path Finder

Hi Laya,
I am also doing something similar to what you have done. But with the text box.

<input type="text" token="warn" searchWhenChanged="true">
        <label>Warning Threshold</label>
        <search>
          <query>| inputlookup customer1.csv | outputlookup csv_lookup | stats values(warningThreshold) AS MYWARN</query>
        </search>
        <default>MYWARN</default>
        <initialValue>MYWARN</initialValue>
        <Value>MYWARN</Value>
      </input>

But this doesnt seem to work for me.
My customer1.csv is like this:
warningThreshold, criticalThreshold
15,25
~

So i expected the text box to have 15 when form is loaded. I am new to Splunk/xml. Any help is appreciated.
Thanks

0 Karma

Laya123
Communicator

Hi Team,

I got the solution for this.

Thank you

0 Karma

ppablo
Retired

Hi @Laya123,

Please post your actual full solution here and accept that answer please to resolve this post.

0 Karma

Laya123
Communicator

Hi,

Any help for my request; can anyone tell me is it possible or not

Thanks

0 Karma

Laya123
Communicator

Hi team,

Any help on this

Thanks

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...