Solved: Add 2 static rows to dropdown search results befor...

basandlin · ‎10-20-2020

I am populating dropdown options with the following search. Right now, this is the search.

| search service="$service_tok$"
| stats dc(region) by region Platform
| sort - Platform
| rex field=region "_(?<parse_regions>[^_]+)$"
| eval formatted_region = coalesce(parse_regions, region)

I am doing some formatting to make my list look like this:

Azure - Global
Azure - Central US
AWS - Global
AWS - ap-northeast-1

However, we would like to add two rows with 'label' fields called "AWS" and "Azure" so that we can style them in CSS to be the labels in a sectioned list like so:

*Azure*
Global
Central US
__________
*AWS*
Global
ap-northeast-1

any ideas how I could add these 2 rows and have the sort work out to where the labels are at the top?

I have tried to add these choices with appendpipe, but the row appears, then disappears before the search completes.

bowesmana · ‎10-20-2020

@basandlin

Does this example give you what you want?

<form>
  <label>test_dropdown</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="region_select" searchWhenChanged="true">
      <label>Choose Cloud/Region</label>
      <fieldForLabel>region_label</fieldForLabel>
      <fieldForValue>region_choice</fieldForValue>
      <search>
        <query>| makeresults
| eval _raw="cloud,region
Azure,Global
Azure,Central US
AWS,Global
AWS,ap-northeast-1"
| multikv forceheader=1
| table cloud region
| appendpipe [ 
  | stats count by cloud 
  | eval region="!"
]
| sort cloud region
| eval region_choice=if(region="!","!".cloud."!",cloud."!".region)
| eval region_label=if(region="!",cloud,region)</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <condition match="match($region_select$,&quot;^!&quot;)">
          <unset token="region_chosen"></unset>
        </condition>
        <condition match="NOT match($region_select$,&quot;^!&quot;)">
          <set token="region_chosen">$region_select$</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row rejects="$region_chosen$">
    <panel>
      <html>
        <h1>No region yet chosen</h1>
      </html>
    </panel>
  </row>
  <row depends="$region_chosen$">
    <panel>
      <table>
        <title>Cloud and region chosen from $region_select$ - $region_chosen$</title>
        <search>
          <query>| makeresults
          | eval Choice=$region_chosen|s$
          | rex field=Choice "(?&lt;cloud&gt;[^!]+)!(?&lt;region&gt;.*)"
          | table cloud region</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

bowesmana · ‎10-20-2020

@basandlin

Does this example give you what you want?

<form>
  <label>test_dropdown</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="region_select" searchWhenChanged="true">
      <label>Choose Cloud/Region</label>
      <fieldForLabel>region_label</fieldForLabel>
      <fieldForValue>region_choice</fieldForValue>
      <search>
        <query>| makeresults
| eval _raw="cloud,region
Azure,Global
Azure,Central US
AWS,Global
AWS,ap-northeast-1"
| multikv forceheader=1
| table cloud region
| appendpipe [ 
  | stats count by cloud 
  | eval region="!"
]
| sort cloud region
| eval region_choice=if(region="!","!".cloud."!",cloud."!".region)
| eval region_label=if(region="!",cloud,region)</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <condition match="match($region_select$,&quot;^!&quot;)">
          <unset token="region_chosen"></unset>
        </condition>
        <condition match="NOT match($region_select$,&quot;^!&quot;)">
          <set token="region_chosen">$region_select$</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row rejects="$region_chosen$">
    <panel>
      <html>
        <h1>No region yet chosen</h1>
      </html>
    </panel>
  </row>
  <row depends="$region_chosen$">
    <panel>
      <table>
        <title>Cloud and region chosen from $region_select$ - $region_chosen$</title>
        <search>
          <query>| makeresults
          | eval Choice=$region_chosen|s$
          | rex field=Choice "(?&lt;cloud&gt;[^!]+)!(?&lt;region&gt;.*)"
          | table cloud region</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Add 2 static rows to dropdown search results before sort

eval

field extraction

fields

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?