Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why doesn't the pulldown work the first time I select a value (with a trivial Example!)?

ifeldshteyn
Communicator
‎01-28-2019 04:10 PM

Hello,

I have a really simple dashboard with a single pulldown. I notice that it never seems to take effect the first time I select a value — only the second time.

Here is the code with a base search and a simple table panel over the past hour. If I load this in Splunk (6.5.2) and run it, I will see the dropdown populated. If I choose one source type, it will immediately update the pulldown options but NOT update the table results. If I reset and chose another source type, it then takes effect. Hypothesis: this is because of a base search and filtering search for the dropdowns? I'd like for it to work the first time without requiring a Submit button. Note: I tried setting the option searchWhenChanged - but it didn't help. (searchWhenChanged="true")

<form>
  <label>test</label>
  <search id="base">
    <query>index =_internal earliest=-1h| fields sourcetype</query>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="sourcetype">
      <label>Sourcetypes</label>
      <choice value="*">All SourceTypes</choice>
      <default>*</default>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search base="base">
        <query>search sourcetype="*$sourcetype$*" | dedup sourcetype | sort sourcetype</query>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search base="base">
          <query>search sourcetype="*$sourcetype$*" | head </query>
        </search>
      </table>
    </panel>
  </row>
</form>
Tags (1)
0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎01-28-2019 04:22 PM

Hi @ifeldshteyn

I just tested this dashboard in my 7.1 Splunk instance and it works perfect - it always updates the raw results and the table. However I do find it unusal that you are using a token to update the search of the input that sets the token.

I made a few minor updates to your dashboard that you could try:

<form>
   <label>test</label>
   <search id="base">
     <!-- You should specify all fields that you plan to use later -->
     <query>index =_internal earliest=-1h| fields sourcetype _raw _time</query>
   </search>
   <fieldset submitButton="false">
     <input type="dropdown" token="sourcetype">
       <label>Sourcetypes</label>
       <choice value="*">All SourceTypes</choice>
       <default>*</default>
       <fieldForLabel>sourcetype</fieldForLabel>
       <fieldForValue>sourcetype</fieldForValue>
       <search base="base">
         <!-- Remove filter on sourcetype -->
         <query>dedup sourcetype | sort sourcetype</query>
       </search>
     </input>
   </fieldset>
   <row>
     <panel>
       <table>
         <search base="base">
           <!-- Use the $|s$ quoting when using tokens -->
           <query>search sourcetype=$sourcetype|s$ | head </query>
         </search>
       </table>
     </panel>
   </row>
 </form>
0 Karma
Reply

ifeldshteyn
Communicator
‎01-29-2019 09:36 AM

Hi, I know I can get this to work, but then, if I add additional pulldowns, they are not filtered. Here is an example with additional pulldown of Source. If I filter a sourcetype, the source pulldown is not filtered and vice versa. In effect, I want, upon a pulldown selection to fillter the options in other pulldowns AND the downstream data. And I can get it to work only if I select something twice, or use a submit button which I was hoping to avoid. 

<input type="dropdown" token="sourcetype" searchWhenChanged="true">
  <label>Sourcetypes</label>
  <choice value="*">All SourceTypes</choice>
  <default>*</default>
  <fieldForLabel>sourcetype</fieldForLabel>
  <fieldForValue>sourcetype</fieldForValue>
  <search base="base">
    <query>dedup sourcetype | sort sourcetype</query>
  </search>
</input>
    <input type="dropdown" token="source" searchWhenChanged="true">
  <label>Sourcetypes</label>
  <choice value="*">All Source</choice>
  <default>*</default>
  <fieldForLabel>source</fieldForLabel>
  <fieldForValue>source</fieldForValue>
  <search base="base">
    <query>dedup source | sort source</query>
  </search>
</input>


<panel>
  <table>
    <search base="base">
      <query>search sourcetype="*$sourcetype$*" source = "*$source$*"| head</query>
    </search>
  </table>
</panel>
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...