Solved: Add 2 static rows to dropdown search results befor...

basandlin · ‎10-20-2020

I am populating dropdown options with the following search. Right now, this is the search.

| search service="$service_tok$"
| stats dc(region) by region Platform
| sort - Platform
| rex field=region "_(?<parse_regions>[^_]+)$"
| eval formatted_region = coalesce(parse_regions, region)

I am doing some formatting to make my list look like this:

Azure - Global
Azure - Central US
AWS - Global
AWS - ap-northeast-1

However, we would like to add two rows with 'label' fields called "AWS" and "Azure" so that we can style them in CSS to be the labels in a sectioned list like so:

*Azure*
Global
Central US
__________
*AWS*
Global
ap-northeast-1

any ideas how I could add these 2 rows and have the sort work out to where the labels are at the top?

I have tried to add these choices with appendpipe, but the row appears, then disappears before the search completes.

bowesmana · ‎10-20-2020

@basandlin

Does this example give you what you want?

<form>
  <label>test_dropdown</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="region_select" searchWhenChanged="true">
      <label>Choose Cloud/Region</label>
      <fieldForLabel>region_label</fieldForLabel>
      <fieldForValue>region_choice</fieldForValue>
      <search>
        <query>| makeresults
| eval _raw="cloud,region
Azure,Global
Azure,Central US
AWS,Global
AWS,ap-northeast-1"
| multikv forceheader=1
| table cloud region
| appendpipe [ 
  | stats count by cloud 
  | eval region="!"
]
| sort cloud region
| eval region_choice=if(region="!","!".cloud."!",cloud."!".region)
| eval region_label=if(region="!",cloud,region)</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <condition match="match($region_select$,&quot;^!&quot;)">
          <unset token="region_chosen"></unset>
        </condition>
        <condition match="NOT match($region_select$,&quot;^!&quot;)">
          <set token="region_chosen">$region_select$</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row rejects="$region_chosen$">
    <panel>
      <html>
        <h1>No region yet chosen</h1>
      </html>
    </panel>
  </row>
  <row depends="$region_chosen$">
    <panel>
      <table>
        <title>Cloud and region chosen from $region_select$ - $region_chosen$</title>
        <search>
          <query>| makeresults
          | eval Choice=$region_chosen|s$
          | rex field=Choice "(?&lt;cloud&gt;[^!]+)!(?&lt;region&gt;.*)"
          | table cloud region</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

bowesmana · ‎10-20-2020

@basandlin

Does this example give you what you want?

<form>
  <label>test_dropdown</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="region_select" searchWhenChanged="true">
      <label>Choose Cloud/Region</label>
      <fieldForLabel>region_label</fieldForLabel>
      <fieldForValue>region_choice</fieldForValue>
      <search>
        <query>| makeresults
| eval _raw="cloud,region
Azure,Global
Azure,Central US
AWS,Global
AWS,ap-northeast-1"
| multikv forceheader=1
| table cloud region
| appendpipe [ 
  | stats count by cloud 
  | eval region="!"
]
| sort cloud region
| eval region_choice=if(region="!","!".cloud."!",cloud."!".region)
| eval region_label=if(region="!",cloud,region)</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <condition match="match($region_select$,&quot;^!&quot;)">
          <unset token="region_chosen"></unset>
        </condition>
        <condition match="NOT match($region_select$,&quot;^!&quot;)">
          <set token="region_chosen">$region_select$</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row rejects="$region_chosen$">
    <panel>
      <html>
        <h1>No region yet chosen</h1>
      </html>
    </panel>
  </row>
  <row depends="$region_chosen$">
    <panel>
      <table>
        <title>Cloud and region chosen from $region_select$ - $region_chosen$</title>
        <search>
          <query>| makeresults
          | eval Choice=$region_chosen|s$
          | rex field=Choice "(?&lt;cloud&gt;[^!]+)!(?&lt;region&gt;.*)"
          | table cloud region</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Add 2 static rows to dropdown search results before sort

eval

field extraction

fields

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!