Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Add 2 static rows to dropdown search results befor...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
basandlin
Engager
10-20-2020
06:07 PM
I am populating dropdown options with the following search. Right now, this is the search.
| search service="$service_tok$"
| stats dc(region) by region Platform
| sort - Platform
| rex field=region "_(?<parse_regions>[^_]+)$"
| eval formatted_region = coalesce(parse_regions, region)
I am doing some formatting to make my list look like this:
Azure - Global
Azure - Central US
AWS - Global
AWS - ap-northeast-1
However, we would like to add two rows with 'label' fields called "AWS" and "Azure" so that we can style them in CSS to be the labels in a sectioned list like so:
*Azure*
Global
Central US
__________
*AWS*
Global
ap-northeast-1
any ideas how I could add these 2 rows and have the sort work out to where the labels are at the top?
I have tried to add these choices with appendpipe, but the row appears, then disappears before the search completes.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bowesmana
SplunkTrust
10-20-2020
08:46 PM
Does this example give you what you want?
<form>
<label>test_dropdown</label>
<fieldset submitButton="false">
<input type="dropdown" token="region_select" searchWhenChanged="true">
<label>Choose Cloud/Region</label>
<fieldForLabel>region_label</fieldForLabel>
<fieldForValue>region_choice</fieldForValue>
<search>
<query>| makeresults
| eval _raw="cloud,region
Azure,Global
Azure,Central US
AWS,Global
AWS,ap-northeast-1"
| multikv forceheader=1
| table cloud region
| appendpipe [
| stats count by cloud
| eval region="!"
]
| sort cloud region
| eval region_choice=if(region="!","!".cloud."!",cloud."!".region)
| eval region_label=if(region="!",cloud,region)</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<change>
<condition match="match($region_select$,"^!")">
<unset token="region_chosen"></unset>
</condition>
<condition match="NOT match($region_select$,"^!")">
<set token="region_chosen">$region_select$</set>
</condition>
</change>
</input>
</fieldset>
<row rejects="$region_chosen$">
<panel>
<html>
<h1>No region yet chosen</h1>
</html>
</panel>
</row>
<row depends="$region_chosen$">
<panel>
<table>
<title>Cloud and region chosen from $region_select$ - $region_chosen$</title>
<search>
<query>| makeresults
| eval Choice=$region_chosen|s$
| rex field=Choice "(?<cloud>[^!]+)!(?<region>.*)"
| table cloud region</query>
<earliest>-15m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bowesmana
SplunkTrust
10-20-2020
08:46 PM
Does this example give you what you want?
<form>
<label>test_dropdown</label>
<fieldset submitButton="false">
<input type="dropdown" token="region_select" searchWhenChanged="true">
<label>Choose Cloud/Region</label>
<fieldForLabel>region_label</fieldForLabel>
<fieldForValue>region_choice</fieldForValue>
<search>
<query>| makeresults
| eval _raw="cloud,region
Azure,Global
Azure,Central US
AWS,Global
AWS,ap-northeast-1"
| multikv forceheader=1
| table cloud region
| appendpipe [
| stats count by cloud
| eval region="!"
]
| sort cloud region
| eval region_choice=if(region="!","!".cloud."!",cloud."!".region)
| eval region_label=if(region="!",cloud,region)</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<change>
<condition match="match($region_select$,"^!")">
<unset token="region_chosen"></unset>
</condition>
<condition match="NOT match($region_select$,"^!")">
<set token="region_chosen">$region_select$</set>
</condition>
</change>
</input>
</fieldset>
<row rejects="$region_chosen$">
<panel>
<html>
<h1>No region yet chosen</h1>
</html>
</panel>
</row>
<row depends="$region_chosen$">
<panel>
<table>
<title>Cloud and region chosen from $region_select$ - $region_chosen$</title>
<search>
<query>| makeresults
| eval Choice=$region_chosen|s$
| rex field=Choice "(?<cloud>[^!]+)!(?<region>.*)"
| table cloud region</query>
<earliest>-15m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
Get Updates on the Splunk Community!
Building Reliable Asset and Identity Frameworks in Splunk ES
Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...
Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting
For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...
Automatic Discovery Part 3: Practical Use Cases
If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...
