Getting Data In

Why is my simple drop-down menu not filtering results in the dashboard panel?

IRHM73
Motivator

Hi, I wonder whether someone could help me please.

I'm trying to put together a dashboard which is set out as follows:

  • Timepicker
  • List of usernames which is filtered by the timepicker

Then when the user selects the timepicker and the username, I would like this to extract the relevant data in the dashboard panel.

This is the 'simple XML' for this part of the dashboard:

<form>
  <label>Splunk Users</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="timerange" searchWhenChanged="false">
      <label>Select the Time Range</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="author" searchWhenChanged="true">
      <label>Select the User</label>
      <default>*</default>
      <choice value="*">All</choice>
      <search>
        <query>|rest /services/search/jobs earliest=$timerange.earliest$ latest=$timerange.latest$   
|search NOT (author="splunk-system-user" OR author="monitoring")  
|search title!="" 
|stats count by author</query>
      </search>
      <fieldForLabel>author</fieldForLabel>
      <fieldForValue>author</fieldForValue>
      <prefix>author="</prefix>
      <suffix>"</suffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Splunk Searches Performed - Results for $author$</title>
        <search>
          <query>|rest /services/search/jobs author="$author$" 
|search NOT (author="splunk-system-user" OR author="monitoring")  
|search title!=""    
|addtotals fieldname=duration *duration_secs     
|eval groupduration=case(duration<=300, "Less Than 5 Minutes", duration>300 AND duration<=600, "Between 5 and 10 Minutes", duration>600 AND duration<=1200, "Between 10 and 20 Minutes", duration>1200 AND duration<=1800, "Between 20 and 30 Minutes", duration>1800, "Greater than 30 Minutes")    
|convert rmunit(duration) as numSecs     
|eval stringSecs=tostring(duration,"duration")     
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")    
|rex field=stringSecs "\.(?<ms>\d{2})"  
|rex field=stringSecs "(?<myRest>.+)s\."     
|eval stringSecs=myRest. "s " .ms. "ms"    
|eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24))     
|eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")   
|convert timeformat="%d/%b/%Y" ctime(earliestTime)     
|eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")    
|convert timeformat="%d/%b/%Y" ctime(latestTime)     
|eval daterange= "From: ".earliestTime.", To: ".latestTime     
|makemv delim=", " daterange  
|table author eai:acl.app title daterange  NoOfDays stringSecs groupduration    
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime", groupduration as "Run Time Category"</query>
          <earliest>0</earliest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>

The problem I have is that I cannot filter the results in the dashboard panel. Irrespective of what user selects in the drop-down menu, the panel displays the results for all users.

I've been through the various example online, but I still can't get this to work.

I just wondered whether someone may be able to look at this please and let me know where I've gone wrong.

Many thanks and kind regards

Chris

0 Karma
1 Solution

IRHM73
Motivator

Hi all, once again thank you for all your help with this, but I've managed to solve the issue as below:

<form>
  <label>Simple select drop down Clone</label>
  <!-- define master search template, with replacement tokens delimited with $ -->
  <searchTemplate>|rest /services/search/jobs | search author=$author$ 
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!="" 
|addtotals fieldname=duration *duration_secs 
|convert rmunit(duration) as numSecs 
|eval stringSecs=tostring(duration,"duration")  
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")   
|rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\." 
|eval stringSecs=myRest. "s " .ms. "ms" 
|eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24)) 
|where NoOfDays>=90 |eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(earliestTime) 
|eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(latestTime) 
|eval daterange= "From: ".earliestTime.", To: ".latestTime 
|makemv delim=", " daterange  
|table author eai:acl.app title daterange  NoOfDays stringSecs 
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"</searchTemplate>
  <earliestTime>-30d</earliestTime>
  <latestTime>-0d</latestTime>
  <fieldset>
    <!-- Define a simple dropdown form driven by a search -->
    <input type="dropdown" token="author">
      <label>Select series</label>
      <search>
        <query>|rest /services/search/jobs   |search NOT (author="splunk-system-user" OR author="monitoring")    |search title!=""  | top author</query>
      </search>
      <choice value="*">Any</choice>
      <fieldForLabel>author</fieldForLabel>
      <fieldForValue>author</fieldForValue>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <!-- output the results as a 50 row events table -->
    <table>
      <title>Matching events</title>
      <option name="count">50</option>
    </table>
  </row>
</form>

The query I think was incorporating the query into a "Search Template".

All I need to do now is add the 'Timepicker' but I think I'll be able to incorporate this.

Kind Regards

Chris

View solution in original post

0 Karma

IRHM73
Motivator

Hi all, once again thank you for all your help with this, but I've managed to solve the issue as below:

<form>
  <label>Simple select drop down Clone</label>
  <!-- define master search template, with replacement tokens delimited with $ -->
  <searchTemplate>|rest /services/search/jobs | search author=$author$ 
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!="" 
|addtotals fieldname=duration *duration_secs 
|convert rmunit(duration) as numSecs 
|eval stringSecs=tostring(duration,"duration")  
|eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s")   
|rex field=stringSecs "\.(?<ms>\d{2})" | rex field=stringSecs "(?<myRest>.+)s\." 
|eval stringSecs=myRest. "s " .ms. "ms" 
|eval NoOfDays=floor((searchLatestTime-searchEarliestTime)/(3600*24)) 
|where NoOfDays>=90 |eval earliestTime=strptime(earliestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(earliestTime) 
|eval latestTime=strptime(latestTime, "%Y-%m-%dT%H:%M:%S")
|convert timeformat="%d/%b/%Y" ctime(latestTime) 
|eval daterange= "From: ".earliestTime.", To: ".latestTime 
|makemv delim=", " daterange  
|table author eai:acl.app title daterange  NoOfDays stringSecs 
|rename author as "Search Author", eai:acl.app as "App Used", title as "Query", daterange as "Query Date Range", NoOfDays as "Query Date Range (Days)", stringSecs as "Query Runtime"</searchTemplate>
  <earliestTime>-30d</earliestTime>
  <latestTime>-0d</latestTime>
  <fieldset>
    <!-- Define a simple dropdown form driven by a search -->
    <input type="dropdown" token="author">
      <label>Select series</label>
      <search>
        <query>|rest /services/search/jobs   |search NOT (author="splunk-system-user" OR author="monitoring")    |search title!=""  | top author</query>
      </search>
      <choice value="*">Any</choice>
      <fieldForLabel>author</fieldForLabel>
      <fieldForValue>author</fieldForValue>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <!-- output the results as a 50 row events table -->
    <table>
      <title>Matching events</title>
      <option name="count">50</option>
    </table>
  </row>
</form>

The query I think was incorporating the query into a "Search Template".

All I need to do now is add the 'Timepicker' but I think I'll be able to incorporate this.

Kind Regards

Chris

0 Karma

ngatchasandra
Builder

Hi IRHM73,

Try to change your query like follow because have alrady prefixed author in dropdown input:

   <query>|rest /services/search/jobs |search "$author$" 

     |search NOT (author="splunk-system-user" OR author="monitoring")  
     |search title!=""    
     |addtotals fieldname=duration *duration_secs     
     |eval groupduration=case(duration<=300, "Less Than 5 Minutes", duration>300 AND duration<=600, "Between 5 and 10 Minutes", duration>600 AND duration<=1200, "Between 10 and 20 Minutes", duration>1200 AND duration<=1800, "Between 20 and 30 Minutes", duration>1800, "Greater than 30 Minutes")    
     |convert rmunit(duration) as numSecs  .......
    ....   

IRHM73
Motivator

Hi, thank you for coming back to me with this.

I've tried your suggestion but unfortunately I'm still receiving the "No results found" message.

Many thanks and kind regards

Chris

0 Karma

renjith_nair
Legend

Hi Chris,

If I'm not wrong, you can't use your filters in the rest but pipe it and then filter it. So try changing

<query>|rest /services/search/jobs author="$author$"

to

<query>|rest /services/search/jobs |search author="$author$" 

The same thing applies for your timerange also

---
What goes around comes around. If it helps, hit it with Karma 🙂

IRHM73
Motivator

Hi @renjith.nair, thank you for coming back to me with this.

Unfortunately this isn't working becasue I receive "No results found" for every user selected in the drop down menu even with the 'Timepicker' filter removed.

Many thanks and kind regards

Chris

0 Karma

renjith_nair
Legend

It's working fine for me with |rest /services/search/jobs |search author="*" where * is the value for all

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

IRHM73
Motivator

Hi that's great thank you for coming back to me with this.

Kind Regards

Chris

0 Karma

HeinzWaescher
Motivator

Did you open the result in search to see the dispatched query and check whether this is what you've expected?
Have you tried this:

...
<search>
       <query>|rest /services/search/jobs author=$author$
 |search NOT (author="splunk-system-user" OR author="monitoring")  
 |search title!=""
...

IRHM73
Motivator

Hi @HeinzWaescher, thank you for coming back to me with this.

I have tried the query you kindly provided and unfortunately I'm still getting all the results.

If I use | where author="$username$" further down in my query, I can manage to display the information for the selected user in the dashboard panel. But then when I choose "Any" from the drop down menu, all I receive is "No results found" in the panel.

Many thanks and kind regards

Chris

0 Karma

HeinzWaescher
Motivator

If you have defined "any" as * in the dropdown options, try to use | search. I believe the where command only compares the values of two fields. But here you want to use the defined value.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...