Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why doesn't the pulldown work the first time I select a value (with a trivial Example!)?

ifeldshteyn
Communicator
‎01-28-2019 04:10 PM

Hello,

I have a really simple dashboard with a single pulldown. I notice that it never seems to take effect the first time I select a value — only the second time.

Here is the code with a base search and a simple table panel over the past hour. If I load this in Splunk (6.5.2) and run it, I will see the dropdown populated. If I choose one source type, it will immediately update the pulldown options but NOT update the table results. If I reset and chose another source type, it then takes effect. Hypothesis: this is because of a base search and filtering search for the dropdowns? I'd like for it to work the first time without requiring a Submit button. Note: I tried setting the option searchWhenChanged - but it didn't help. (searchWhenChanged="true")

<form>
  <label>test</label>
  <search id="base">
    <query>index =_internal earliest=-1h| fields sourcetype</query>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="sourcetype">
      <label>Sourcetypes</label>
      <choice value="*">All SourceTypes</choice>
      <default>*</default>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search base="base">
        <query>search sourcetype="*$sourcetype$*" | dedup sourcetype | sort sourcetype</query>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search base="base">
          <query>search sourcetype="*$sourcetype$*" | head </query>
        </search>
      </table>
    </panel>
  </row>
</form>
Tags (1)
0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎01-28-2019 04:22 PM

Hi @ifeldshteyn

I just tested this dashboard in my 7.1 Splunk instance and it works perfect - it always updates the raw results and the table. However I do find it unusal that you are using a token to update the search of the input that sets the token.

I made a few minor updates to your dashboard that you could try:

<form>
   <label>test</label>
   <search id="base">
     <!-- You should specify all fields that you plan to use later -->
     <query>index =_internal earliest=-1h| fields sourcetype _raw _time</query>
   </search>
   <fieldset submitButton="false">
     <input type="dropdown" token="sourcetype">
       <label>Sourcetypes</label>
       <choice value="*">All SourceTypes</choice>
       <default>*</default>
       <fieldForLabel>sourcetype</fieldForLabel>
       <fieldForValue>sourcetype</fieldForValue>
       <search base="base">
         <!-- Remove filter on sourcetype -->
         <query>dedup sourcetype | sort sourcetype</query>
       </search>
     </input>
   </fieldset>
   <row>
     <panel>
       <table>
         <search base="base">
           <!-- Use the $|s$ quoting when using tokens -->
           <query>search sourcetype=$sourcetype|s$ | head </query>
         </search>
       </table>
     </panel>
   </row>
 </form>
0 Karma
Reply

ifeldshteyn
Communicator
‎01-29-2019 09:36 AM

Hi, I know I can get this to work, but then, if I add additional pulldowns, they are not filtered. Here is an example with additional pulldown of Source. If I filter a sourcetype, the source pulldown is not filtered and vice versa. In effect, I want, upon a pulldown selection to fillter the options in other pulldowns AND the downstream data. And I can get it to work only if I select something twice, or use a submit button which I was hoping to avoid. 

<input type="dropdown" token="sourcetype" searchWhenChanged="true">
  <label>Sourcetypes</label>
  <choice value="*">All SourceTypes</choice>
  <default>*</default>
  <fieldForLabel>sourcetype</fieldForLabel>
  <fieldForValue>sourcetype</fieldForValue>
  <search base="base">
    <query>dedup sourcetype | sort sourcetype</query>
  </search>
</input>
    <input type="dropdown" token="source" searchWhenChanged="true">
  <label>Sourcetypes</label>
  <choice value="*">All Source</choice>
  <default>*</default>
  <fieldForLabel>source</fieldForLabel>
  <fieldForValue>source</fieldForValue>
  <search base="base">
    <query>dedup source | sort source</query>
  </search>
</input>


<panel>
  <table>
    <search base="base">
      <query>search sourcetype="*$sourcetype$*" source = "*$source$*"| head</query>
    </search>
  </table>
</panel>
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...