Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dropdown and input options on output which is obtained using join command

supriyagaw08
Explorer
‎12-24-2020 04:20 AM

Hi All,

I am trying to add dropdown on workname but output always comes as no records found although that workname is present in the dashboard output.

Below is my code:

$Env$ sourcetype = s $field2$$input$
| table XMIT_NM,USER_NM,WORK_ID,FILE_NM,FILE_ID
| join
[ search $Env$ sourcetype=b
| table WORK_ID WORK_NM ]
| table XMIT_NM,USER_NM,WORK_NM,FILE_NM,FILE_ID

Below is my XML:
<input type="dropdown" token="field2" searchWhenChanged="true">
<label>Search</label>
<choice value="&quot;*&quot;">Any</choice>

<choice value="USER_NM">username</choice>
<choice value="WORK_NM">Work name</choice>
<default>"*"</default>
<initialValue>"*"</initialValue>


I have tried <choice value="WORK_NM=">Work name</choice> and <choice value="&quot;WORK_NM&quot;">Work name</choice> as well but its not working but search using USER_NM is working fine, please suggest is it due to WORK_NM is output from join command and hence it cannot be used or any other ways to make this work.

 

Tags (1)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-04-2021 03:53 AM

Hi @supriyagaw08,

If WORK_NM is only exist on sub-search that is why your "field2" token filters everything on the first search.

It will make Splunk search/join more events but below may work;

$Env$ sourcetype = s 
| table XMIT_NM,USER_NM,WORK_ID,FILE_NM,FILE_ID
| join
[ search $Env$ sourcetype=b
| table WORK_ID WORK_NM ]
| search $field2$$input$
| table XMIT_NM,USER_NM,WORK_NM,FILE_NM,FILE_ID

 

If this reply helps you an upvote is appreciated. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

supriyagaw08
Explorer
‎01-04-2021 03:20 AM

Any help on this will be appreciated, thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...