Splunk Enterprise

How to stop Splunk dropdown grouping items together

New Member

Hello,

We have JSON data like below that splunk is ingesting:

[{
    "IdA": "1",
    "NameA": "One",
    "Children": [{
            "IdB": "2",
            "NameB": "Two"
        },
        {
            "IdB": "3",
            "NameB": "Three"
        }
    ]
}]

We have a dropdown which displays IdB's as value and NameB's as labels. However the dropdown is grouping these NameB's together in groups of IdA's as comma separated values.

We need all the NameB's to be their own entry in the dropdown.

Here is our current attempt:

 <input type="dropdown" token="Children" searchWhenChanged="true">
      <label>Children</label>
      <search>
        <query> sourcetype=_json | table Children{}.IdB, Children{}.NameB | dedup Children{}.IdB, Children{}.NameB | sort Children{}.NameB</query>
      </search>
      <fieldForLabel>Children{}.NameB</fieldForLabel>
      <fieldForValue>Children{}.IdB</fieldForValue>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>

Any idea of how to solve this?

Thank you

0 Karma

Revered Legend

Use this as your dropdown search

<input type="dropdown" token="Children" searchWhenChanged="true">
       <label>Children</label>
       <search>
         <query> sourcetype=_json | table Children{}.IdB, Children{}.NameB | rename Children{}.* as * | dedup IdB, NameB | eval temp=mvzip(idB,NameB,"#") | table temp | mvexpand temp | rex field=temp "(?<IdB>.+)#(?<NameB>.+)" | table IdB NameB | sort NameB</query>
       </search>
       <fieldForLabel>NameB</fieldForLabel>
       <fieldForValue>IdB</fieldForValue>
       <choice value="*">All</choice>
       <default>*</default>
       <initialValue>*</initialValue>
     </input>

New Member

If I append | stats count by Children{}.IdB the dropdown is split correctly. However the dropdown contains the IDBs and not the NameBs; is there then a way to use NameBs after?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!