Solved: Re: data is not populating using dropdown selectio...

Khushboo · ‎01-02-2021

Hi Everyone,

I have extracted field name status using rex. Then I have added dropdown input in which I have all the values of status.
But data is not getting refreshed after selecting any value from dropdown.
Though i have tried highlighted (status = $status$ ) in base query, where another dropdown with name level is working fine.

PFB snippet of my code:
<form>
<search id="base_search">
<query>
index=abc sourcetype=xyz earliest = $earliest$ latest = now()
id = $id$ level = $level$ status = $status$
| sort id asc
| rex field=msg "\{\"status\"\:\s+\"(?<status>[^\"\}]+)"
</query>
</search>
<fieldset submitButton="false" autoRun="false">
<input type="dropdown" token="id" searchWhenChanged="true">
<label>Request Id</label>
<choice value="*">ALL</choice>
<fieldForLabel>id</fieldForLabel>
<fieldForValue>id</fieldForValue>
<search base="base_search_filter">
<query>search | dedup id
| table id</query>
</search>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="status" searchWhenChanged="true">
<label>Status</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>status</fieldForLabel>
<fieldForValue>status</fieldForValue>
<search base="base_search_filter">
<query> search | dedup status
| table status</query>
</search>
</input>
</fieldset>
<row>
<panel>
<table>
<search base="base_search">
<query> search
| table id, status,
</query>
</search>
<option name="drilldown">row</option>
</table>
</panel>
</row>
</form>

scelikok · ‎01-04-2021

Please try as below;

<form>
<search id="base_search">
<query>
index=abc sourcetype=xyz earliest = $earliest$ latest = now()
id = $id$ level = $level$ 
| rex field=msg "\{\"status\"\:\s+\"(?&lt;status&gt;[^\"\}]+)"
| search status = $status$
| sort id asc
</query>
</search>
<fieldset submitButton="false" autoRun="false">
<input type="dropdown" token="id" searchWhenChanged="true">
<label>Request Id</label>
<choice value="*">ALL</choice>
<fieldForLabel>id</fieldForLabel>
<fieldForValue>id</fieldForValue>
<search base="base_search_filter">
<query>search | dedup id
| table id</query>
</search>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="status" searchWhenChanged="true">
<label>Status</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>status</fieldForLabel>
<fieldForValue>status</fieldForValue>
<search base="base_search_filter">
<query> search | dedup status
| table status</query>
</search>
</input>
</fieldset>
<row>
<panel>
<table>
<search base="base_search">
<query> search
| table id,  status,
</query>
</search>
<option name="drilldown">row</option>
</table>
</panel>
</row>
</form>

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok · ‎01-04-2021

Please try as below;

<form>
<search id="base_search">
<query>
index=abc sourcetype=xyz earliest = $earliest$ latest = now()
id = $id$ level = $level$ 
| rex field=msg "\{\"status\"\:\s+\"(?&lt;status&gt;[^\"\}]+)"
| search status = $status$
| sort id asc
</query>
</search>
<fieldset submitButton="false" autoRun="false">
<input type="dropdown" token="id" searchWhenChanged="true">
<label>Request Id</label>
<choice value="*">ALL</choice>
<fieldForLabel>id</fieldForLabel>
<fieldForValue>id</fieldForValue>
<search base="base_search_filter">
<query>search | dedup id
| table id</query>
</search>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="status" searchWhenChanged="true">
<label>Status</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>status</fieldForLabel>
<fieldForValue>status</fieldForValue>
<search base="base_search_filter">
<query> search | dedup status
| table status</query>
</search>
</input>
</fieldset>
<row>
<panel>
<table>
<search base="base_search">
<query> search
| table id,  status,
</query>
</search>
<option name="drilldown">row</option>
</table>
</panel>
</row>
</form>

If this reply helps you an upvote and "Accept as Solution" is appreciated.

scelikok · ‎01-02-2021

Hi @Khushboo, you are filtering before extracting status field. Please try below;

<form>
<search id="base_search">
<query>
index=abc sourcetype=xyz earliest = $earliest$ latest = now()
id = $id$ level = $level$ 
| rex field=msg "\{\"status\"\:\s+\"(?&lt;status&gt;[^\"\}]+)"
| where status = $status$
| sort id asc
</query>
</search>
<fieldset submitButton="false" autoRun="false">
<input type="dropdown" token="id" searchWhenChanged="true">
<label>Request Id</label>
<choice value="*">ALL</choice>
<fieldForLabel>id</fieldForLabel>
<fieldForValue>id</fieldForValue>
<search base="base_search_filter">
<query>search | dedup id
| table id</query>
</search>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="status" searchWhenChanged="true">
<label>Status</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<fieldForLabel>status</fieldForLabel>
<fieldForValue>status</fieldForValue>
<search base="base_search_filter">
<query> search | dedup status
| table status</query>
</search>
</input>
</fieldset>
<row>
<panel>
<table>
<search base="base_search">
<query> search
| table id,  status,
</query>
</search>
<option name="drilldown">row</option>
</table>
</panel>
</row>
</form>

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Khushboo · ‎01-04-2021

It is throwing me error:
Error in 'where' command: The expression is malformed. An unexpected character is reached at '* '.

data is not populating using dropdown selection

using Splunk Enterprise

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?