Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

data is not populating using dropdown selection

Khushboo
Explorer
‎01-02-2021 11:45 AM

Hi Everyone,

I have extracted field  name status using rex. Then I have added dropdown input in which I have all the values of status. 
But data is not getting refreshed after selecting any value from dropdown.
Though i have tried highlighted (status = $status$ ) in base query, where another dropdown with name level is working fine.

PFB snippet of my code:
<form>
<search id="base_search">
<query>
index=abc sourcetype=xyz earliest = $earliest$ latest = now()
id = $id$ level = $level$ status = $status$
| sort id asc
| rex field=msg "\{\"status\"\:\s+\"(?&lt;status&gt;[^\"\}]+)"
</query>
</search>
<fieldset submitButton="false" autoRun="false">
<input type="dropdown" token="id" searchWhenChanged="true">
<label>Request Id</label>
<choice value="*">ALL</choice>
<fieldForLabel>id</fieldForLabel>
<fieldForValue>id</fieldForValue>
<search base="base_search_filter">
<query>search | dedup id
| table id</query>
</search>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="status" searchWhenChanged="true">
<label>Status</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>status</fieldForLabel>
<fieldForValue>status</fieldForValue>
<search base="base_search_filter">
<query> search | dedup status
| table status</query>
</search>
</input>
</fieldset>
<row>
<panel>
<table>
<search base="base_search">
<query> search
| table id,  status,
</query>
</search>
<option name="drilldown">row</option>
</table>
</panel>
</row>
</form>

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-04-2021 12:54 AM

Please try as below;

<form>
<search id="base_search">
<query>
index=abc sourcetype=xyz earliest = $earliest$ latest = now()
id = $id$ level = $level$ 
| rex field=msg "\{\"status\"\:\s+\"(?&lt;status&gt;[^\"\}]+)"
| search status = $status$
| sort id asc
</query>
</search>
<fieldset submitButton="false" autoRun="false">
<input type="dropdown" token="id" searchWhenChanged="true">
<label>Request Id</label>
<choice value="*">ALL</choice>
<fieldForLabel>id</fieldForLabel>
<fieldForValue>id</fieldForValue>
<search base="base_search_filter">
<query>search | dedup id
| table id</query>
</search>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="status" searchWhenChanged="true">
<label>Status</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>status</fieldForLabel>
<fieldForValue>status</fieldForValue>
<search base="base_search_filter">
<query> search | dedup status
| table status</query>
</search>
</input>
</fieldset>
<row>
<panel>
<table>
<search base="base_search">
<query> search
| table id,  status,
</query>
</search>
<option name="drilldown">row</option>
</table>
</panel>
</row>
</form>
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-04-2021 12:54 AM

Please try as below;

<form>
<search id="base_search">
<query>
index=abc sourcetype=xyz earliest = $earliest$ latest = now()
id = $id$ level = $level$ 
| rex field=msg "\{\"status\"\:\s+\"(?&lt;status&gt;[^\"\}]+)"
| search status = $status$
| sort id asc
</query>
</search>
<fieldset submitButton="false" autoRun="false">
<input type="dropdown" token="id" searchWhenChanged="true">
<label>Request Id</label>
<choice value="*">ALL</choice>
<fieldForLabel>id</fieldForLabel>
<fieldForValue>id</fieldForValue>
<search base="base_search_filter">
<query>search | dedup id
| table id</query>
</search>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="status" searchWhenChanged="true">
<label>Status</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>status</fieldForLabel>
<fieldForValue>status</fieldForValue>
<search base="base_search_filter">
<query> search | dedup status
| table status</query>
</search>
</input>
</fieldset>
<row>
<panel>
<table>
<search base="base_search">
<query> search
| table id,  status,
</query>
</search>
<option name="drilldown">row</option>
</table>
</panel>
</row>
</form>
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎01-02-2021 11:49 PM

Hi @Khushboo, you are filtering before extracting status field. Please try below;

<form>
<search id="base_search">
<query>
index=abc sourcetype=xyz earliest = $earliest$ latest = now()
id = $id$ level = $level$ 
| rex field=msg "\{\"status\"\:\s+\"(?&lt;status&gt;[^\"\}]+)"
| where status = $status$
| sort id asc
</query>
</search>
<fieldset submitButton="false" autoRun="false">
<input type="dropdown" token="id" searchWhenChanged="true">
<label>Request Id</label>
<choice value="*">ALL</choice>
<fieldForLabel>id</fieldForLabel>
<fieldForValue>id</fieldForValue>
<search base="base_search_filter">
<query>search | dedup id
| table id</query>
</search>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="status" searchWhenChanged="true">
<label>Status</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>status</fieldForLabel>
<fieldForValue>status</fieldForValue>
<search base="base_search_filter">
<query> search | dedup status
| table status</query>
</search>
</input>
</fieldset>
<row>
<panel>
<table>
<search base="base_search">
<query> search
| table id,  status,
</query>
</search>
<option name="drilldown">row</option>
</table>
</panel>
</row>
</form>

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

Khushboo
Explorer
‎01-04-2021 12:38 AM

It is throwing me error:
Error in 'where' command: The expression is malformed. An unexpected character is reached at '* '.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...