Splunk Search

Access Field for Value in Drop Down loaded by an input lookup file

mhornste
Path Finder

Hi,

I have prepared an input lookup file which has the following contents:

OperationCode,Meaning,Direction
1001,Create Document,RemoteCache

I have managed to create a drop down which loads the Meaning field from the input lookup as Field for Label.

The drop down looks as follows:

 <input type="dropdown" token="RCFunctionSelector">
      <label>field1</label>
      <default>1001</default>
      <fieldForLabel>Meaning</fieldForLabel>
      <fieldForValue>OperationCode</fieldForValue>
      <search>
        <query>| inputlookup otcs_remote_cache_lookup.csv 
|  table Meaning, OperationCode</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <initialValue>1001</initialValue>
    </input>

I'd like to achieve now that the Field for Value (= OperationCode in lookup) can be used in a search.

I started with the query which doesn't work:

index=rc sourcetype=OtcsRemoteCache Operation=$OperationCode$
|  table _time,Time_ms

How can I access the Field for Value variable of a drop down for a search?

Thanks!

Tags (4)
0 Karma
1 Solution

knielsen
Contributor

You need to reference the token of that input in your query, so replace $OperationCode$ with $RCFunctionSelector$.

View solution in original post

0 Karma

mhornste
Path Finder

Hi,

thank you for your response. I'm afraid I explained not well enough.alt text

I'd like to see the "Get Version Content" in the Description of the Dashboard, e.g.:

"Performance by Operation for Get Version Content "

I can use the DropDown Token $RCFunctionSelector$ but then I only get the Value (in this case 1001) instead of the meaning of the operation.

Thanks!

0 Karma

knielsen
Contributor

that should be exactly what the addition of this in your input definition should make possible:

<change>
   <set token="labelstring">$label$</set>
 </change>

whenever you change the dropdown, the token "labelstring" gets set to the label of the selected value.

0 Karma

mhornste
Path Finder

Thank you, it worked. I must have been blind not to see it.

Do you know if there is a way to access the Label value of the drop down in a search or description? On top of the dashboard, I'd like to display the currently selected Value (=Meaning).

Thank you!

0 Karma

aaronwalker
Engager

You can do this with a change block in the input object that sets a new token to the label, like:

<change>
     <set token="dropdown_label">$label$</set>
</change>

See the following link for more details:
https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Viz/tokens#Access_labels_and_values_of_form_...

0 Karma

knielsen
Contributor

Happens to everyone, to oversee the obvious. 🙂

Accessing the Label should be possible as well. Something in the spirit of

       <label>field1</label>
       <default>1001</default>
       <fieldForLabel>Meaning</fieldForLabel>
       <fieldForValue>OperationCode</fieldForValue>
       <search>
         <query>| inputlookup otcs_remote_cache_lookup.csv 
 |  table Meaning, OperationCode
         <earliest>-24h@h</earliest>
         <latest>now</latest>
       </search>
<change>
  <set token="labelstring">$label$</set>
</change>

       <initialValue>1001</initialValue>
     </input>`

and then reference $labelstring$ later on.

0 Karma

knielsen
Contributor

You need to reference the token of that input in your query, so replace $OperationCode$ with $RCFunctionSelector$.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...