Solved: Add 2 static rows to dropdown search results befor...

basandlin · ‎10-20-2020

I am populating dropdown options with the following search. Right now, this is the search.

| search service="$service_tok$"
| stats dc(region) by region Platform
| sort - Platform
| rex field=region "_(?<parse_regions>[^_]+)$"
| eval formatted_region = coalesce(parse_regions, region)

I am doing some formatting to make my list look like this:

Azure - Global
Azure - Central US
AWS - Global
AWS - ap-northeast-1

However, we would like to add two rows with 'label' fields called "AWS" and "Azure" so that we can style them in CSS to be the labels in a sectioned list like so:

*Azure*
Global
Central US
__________
*AWS*
Global
ap-northeast-1

any ideas how I could add these 2 rows and have the sort work out to where the labels are at the top?

I have tried to add these choices with appendpipe, but the row appears, then disappears before the search completes.

bowesmana · ‎10-20-2020

@basandlin

Does this example give you what you want?

<form>
  <label>test_dropdown</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="region_select" searchWhenChanged="true">
      <label>Choose Cloud/Region</label>
      <fieldForLabel>region_label</fieldForLabel>
      <fieldForValue>region_choice</fieldForValue>
      <search>
        <query>| makeresults
| eval _raw="cloud,region
Azure,Global
Azure,Central US
AWS,Global
AWS,ap-northeast-1"
| multikv forceheader=1
| table cloud region
| appendpipe [ 
  | stats count by cloud 
  | eval region="!"
]
| sort cloud region
| eval region_choice=if(region="!","!".cloud."!",cloud."!".region)
| eval region_label=if(region="!",cloud,region)</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <condition match="match($region_select$,&quot;^!&quot;)">
          <unset token="region_chosen"></unset>
        </condition>
        <condition match="NOT match($region_select$,&quot;^!&quot;)">
          <set token="region_chosen">$region_select$</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row rejects="$region_chosen$">
    <panel>
      <html>
        <h1>No region yet chosen</h1>
      </html>
    </panel>
  </row>
  <row depends="$region_chosen$">
    <panel>
      <table>
        <title>Cloud and region chosen from $region_select$ - $region_chosen$</title>
        <search>
          <query>| makeresults
          | eval Choice=$region_chosen|s$
          | rex field=Choice "(?&lt;cloud&gt;[^!]+)!(?&lt;region&gt;.*)"
          | table cloud region</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

View solution in original post

bowesmana · ‎10-20-2020

@basandlin

Does this example give you what you want?

<form>
  <label>test_dropdown</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="region_select" searchWhenChanged="true">
      <label>Choose Cloud/Region</label>
      <fieldForLabel>region_label</fieldForLabel>
      <fieldForValue>region_choice</fieldForValue>
      <search>
        <query>| makeresults
| eval _raw="cloud,region
Azure,Global
Azure,Central US
AWS,Global
AWS,ap-northeast-1"
| multikv forceheader=1
| table cloud region
| appendpipe [ 
  | stats count by cloud 
  | eval region="!"
]
| sort cloud region
| eval region_choice=if(region="!","!".cloud."!",cloud."!".region)
| eval region_label=if(region="!",cloud,region)</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <condition match="match($region_select$,&quot;^!&quot;)">
          <unset token="region_chosen"></unset>
        </condition>
        <condition match="NOT match($region_select$,&quot;^!&quot;)">
          <set token="region_chosen">$region_select$</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row rejects="$region_chosen$">
    <panel>
      <html>
        <h1>No region yet chosen</h1>
      </html>
    </panel>
  </row>
  <row depends="$region_chosen$">
    <panel>
      <table>
        <title>Cloud and region chosen from $region_select$ - $region_chosen$</title>
        <search>
          <query>| makeresults
          | eval Choice=$region_chosen|s$
          | rex field=Choice "(?&lt;cloud&gt;[^!]+)!(?&lt;region&gt;.*)"
          | table cloud region</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Add 2 static rows to dropdown search results before sort

eval

field extraction

fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation