Getting Data In

Why is there a change of dropdownlist?

Jasmine
Path Finder

Splunk search result  are fetched from different locations from the app based on Id

I have added dropdown list for the value Table1 and Search string is as below:

Based on the above query all the Table1 got populated in dropdownlist and displays all the values in single row.(Id, Table1, Time1, Table2,Time2,PayLoad) But on change of dropdownlist the values of Table2 - Table2,Time2,salary1,PayLoad getting hidden.. i can see only Table1,Time1.. (it shows the values from the one page only.. not grouping from other pages)

Can you please help me?

 

Labels (1)

woodcock
Esteemed Legend

This question is a bit of a mess and I cannot make sense of it.  Probably you should start over and be more clear.  We usually do not care much about your existing SPL.  What we REALLY care about is CLEAR SAMPLE DATA (preferably with generation SPL, like I show below) and CLEAR DESIRED OUTPUT. 

It looks VERY much like your data is being sent in wrong and that each current event is actually multiple events.  You should reindex it and break up these event clumps into single events.  If the problem is that each clumped event lacks a correlation ID (so if you split them, the relationship is lost), then you should take a look at cribl because it has a feature to do this.  You can contact me directly because that discussion is more complicated than we can do here.

In any case, here is what I have for a start:

 

| makeresults 
| eval _raw="
2023-03-31 05:14:16,447 - __main__ - INFO - {\"Id\": \"123456JKL\", \"Table1\": \"employee\", \"Time1\": \"3.04\"}" 
| append [| makeresults 
| eval _raw="2023-03-31 05:14:16,393 - __main__ - INFO - {\"Id\": \"123456JKL\", \"Table2\": \"salary\", \"Time2\": \"4.05\"}"] 
| append [| makeresults 
| eval _raw="
2023-03-31 05:20:16,393 - __main__ - INFO - {\"Id\": \"123456JKL\", \"Table3\": \"salary1\",\"PayLoad\": {\\\"type\\\":\\\"test\\\",\\\"name\\\":\\\"jas\\\"}"] 
| eval _time = strptime(_raw, "%Y-%m-%d %H:%M:%S,%3N") 
| kv pairdelim="{,}" kvdelim=":"

 

0 Karma

jotne
Builder

Just a tip.  

You can clean up your input to make regex simpler.  This example removes the single " and replace the \" with "

| rex mode=sed field=_raw "s/[^\\\]\"//g s/\\\\\"/\"/g"

ITWhisperer
SplunkTrust
SplunkTrust

It is not clear what it is you are trying to do. Please can you share your dashboard source code?

0 Karma

Jasmine
Path Finder

- All the informations - EmpId, Name, Designation, Address1,Address2,Location,officeInfo displayed in single row based on EmpId.

I want to add dropdownlist for Designation.

I have added code in Search String of Designation dropdownlist and the token is desigToken. Now Designations populated in Designation dropdownlist

In main query how can i adjust to add Designation search from dropdownlist on change..

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You have filtered all the events by $desigToken$ in the initial search, so other events which include data for the other fields are not retrieved in the initial search, which is why they don't appear in the results.

You need to move the filtering by $desigToken$ to after you have gathered all the field values together.

0 Karma

Jasmine
Path Finder

Hi,

I have used where clause to filter as below:

If I hard code the value it works fine.

 

 

where Designation = "Manager"

 

 

I have integrated as below:

 

 

if I try to run the above query it takes Designation as below(without quotes).. so no data returns...

 

 

where Designation = Manager

 

 

Please advise..

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Token usage in dashboards - Splunk Documentation

Try this

|where Designation = $desigToken|s$
0 Karma

Jasmine
Path Finder

Great it works fine. Thank you!

In dropdownlist I have set Initial Value - All

in static options

Name = All
Value = *

So during initial load drop downlist loads with All and seems it set the value as * -- so  No records returned

|where Designation = "*"

I hard coded as "All" . Here also no records returned

|where Designation = "All"

Do we have any way to return all the values on initial load?(as Designation dropdownlist is with "All")

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Change "where" to "search"

0 Karma

Jasmine
Path Finder

Great!!!! Thank you very much!!!! Much Appreciated!!!!

0 Karma

Jasmine
Path Finder

Hello,

I have three downdownlist for Name, Designation, Address1.
For all dropdownlist i have All by default.

I have following senarios:
Initially all the dropdownlist and corresponding results should be shown

If Designation is Manager or if I  select All then I have to show Address1 dropdownlist
If Designation is Admin (only Admin) then i have to hide Address1 dropdownlist

Coding is as below:

<input type="dropdown" token="desigToken" searchWhenChanged="true">
      <label>Type</label>
      <choice value="*">All</choice>
       <change>
         <condition value="Manager">
             <set token="show_address">true</set>
        </condition>
        <condition value="All">
             <set token="show_address">true</set>
        </condition>
        <condition value="Admin">
             <unset token="show_address"></unset>
        </condition>
       </change>

In Address dropdownlist i have added depends as below:

<input type="dropdown" token="addressToken" depends="$show_address$" searchWhenChanged="true">

Currently it works as below: (below  cases are fine)

1) If I  select Manager then Address1 dropdownlist displayed
2) If I select Admin then Address1 dropdownlist getting hidden

I am facing following issues

1) When page load it doesnt show Address1 dropdownlist and also Admin related record is missing.. How to show all the dropdownlist and corresponding search results on page load.. (Only I have to hide based on designation dropdownlist value(Admin))
2) If I select Admin from Designation dropdown also values not getting displayed. (query takes hidden field value also). what change need to do in query level?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

At the top of the dashboard code, you can add an <init> block, in which you can define tokens that you want set when the dashboard loads.

0 Karma

Jasmine
Path Finder

ok, let me try.

How to set the query based on the condition for the dropdownlist hidden with the main query?

| stats values(*) as * by EmpId |search Name = $nameToken|s$ AND Designation = $desigToken|s$ AND Address1 = $addToken|s$ |table EmpId, Name, Designation, Address1,Address2,Location,officeInfo

if Address1 dropdownlist got hidden, then my query would be

| stats values(*) as * by EmpId |search Name = $nameToken|s$ AND Designation = $desigToken|s$ |table EmpId, Name, Designation, Address1,Address2,Location,officeInfo

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Two options here - set the default value for addToken to "*"; or create a new token to use in your search which includes the "AND Address1 = $addtoken|s$" and unset this token if address is hidden

0 Karma

Jasmine
Path Finder

Hello,

1) set the default value for addToken to "*" - I am not able to set this as i am dynamically loading. but in Static options i have set Name =All and Value =*
2) create a new token to use in your search which includes the "AND Address1 = $addtoken|s$" and unset this token if address is hidden - i believe i have already tried this.. are you pointing that?

<input type="dropdown" token="desigToken" searchWhenChanged="true">
      <label>Type</label>
      <choice value="*">All</choice>
       <change>
         <condition value="Manager">
             <set token="show_address">true</set>
        </condition>
        <condition value="All">
             <set token="show_address">true</set>
        </condition>
        <condition value="Admin">
             <unset token="show_address"></unset>
        </condition>
       </change>

In Address dropdownlist i have added depends as below:

<input type="dropdown" token="addressToken" depends="$show_address$" searchWhenChanged="true">


and already i have added as "AND Address1 = $addtoken|s$" in my search query.

But iam facing the issue when the address is hidden also it takes the value and displays nothing.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

No, the new token has to replace the "AND Addres1=$addToken|s$" in the search for the panel. This is because when the address panel is hidden, the addToken still equates to something and the search still includes "AND Address1=" followed by whatever the addToken contains, which may account for you not getting any results.

0 Karma

Jasmine
Path Finder

do you want to add  new token in designation dropdown as added below?

 

<input type="dropdown" token="desigToken" searchWhenChanged="true">
      <label>Type</label>
      <choice value="*">All</choice>
       <change>
         <condition value="Manager">
             <set token="show_address">true</set>
        </condition>
        <condition value="All">
             <set token="show_address">true</set>
        </condition>
        <condition value="Admin">
             <unset token="show_address"></unset>
        </condition>
	<condition value="Admin">
             <unset token="hide_address"></unset>
        </condition>
       </change>

 

And in query you want this change?

| stats values(*) as * by EmpId |search Name = $nameToken|s$ AND Designation = $desigToken|s$ AND  Address1 = $hide_address|s$ |table EmpId, Name, Designation, Address1,Address2,Location,officeInfo

Also  we have to show address when the designation is manager

| stats values(*) as * by EmpId |search Name = $nameToken|s$ AND Designation = $desigToken|s$ AND Address1 = $addToken|s$ |table EmpId, Name, Designation, Address1,Address2,Location,officeInfo

How to handle both in single place?

 

 

0 Karma

Jasmine
Path Finder

it works now.. only minor tweak needed.

<input type="dropdown" token="desigToken" searchWhenChanged="true">
      <label>Type</label>
      <choice value="*">All</choice>
       <change>
         <condition value="Manager">
             <set token="show_address">true</set>
        </condition>
        <condition value="All">
             <set token="show_address">true</set>
        </condition>
        <condition value="Admin">
             <unset token="show_address"></unset>
        </condition>
       </change>
<input type="dropdown" token="addressToken" depends="$show_address$" searchWhenChanged="true">

 

Can I set default value to the addressToken dropdown list to 'All' when desigToken dropdownlist is "Admin"
And I have already set both intialvalue and default value to All for addressToken. But If I change any value from addressToken dropdownlist other than "All", and if i choose "Admin" from desigToken dropdown value getting passed. Can we control this in design itself?

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...