Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dashboard - multi-select input - how to add "ANY" option apart of the result of a query

jacortijo
Explorer
‎10-12-2020 08:56 AM

Hi,

I am building a dashboard where I have an multi-select input  called locations, which is populated with a query via the dynamic options.

Also, I include a static option called "ANY" with a value *

I have also a token prefix and suffix of  double quotes (") and the delimiter of a coma ( , )

My purpose is later is in my query of one panel to use that token in a where IN clause

 where location in ($locations$)

when I dont select the ANY value, the query works as expected.

where location in ("XXX", "YYY", "ZZZ")

but when I include the ANY in the multi-select input, the query does not seem to work.

where location in ("XXX", "YYY", "ZZZ","*")

Is it possible to do what I intend? is there any easier way to achieve the same?

Many thanks in advance

 

 

 

 

Tags (1)
0 Karma
Reply

jacortijo
Explorer
‎10-13-2020 02:53 AM

Thanks for the suggestion but I get an "undefined" error in Splunk while using your proposal.

I think that the error comes from the third option in the case clause.

<eval token="form.location">

case(mvcount('form.location')==0,"ALL",     // Reasoning: If there is nothing selected... location = "ALL" 

mvcount('form.location')>1 AND mvfind('form.location',"ALL")>0,"ALL",  // Reasoning: if there are multiple selections including ALL.... location ="ALL"

Unfortunately I dont understand the meaning of the last case.

mvcount('form.location')>1 AND mvfind('form.location',"ALL")==0, mvfilter('form.location'!="ALL"),1==1,'form.location')

I assume that the purpose is:  "if there are many selections and none is ALL, just leave it untouched. "

As it didnt work, I tried to replace it with some other code

mvcount('form.location')>1 AND mvfind('form.location',"ALL")==0,'form.location')

but it didnt work at all. Actually ALL get locked in the input field, it is not possible to select anything else or even to remove the ALL

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-13-2020 03:12 AM

mvcount('form.location')=0,"All" - if nothing is selected, set to All

mvcount('form.location')&gt;1 AND mvfind('form.location',"All")&gt;0,"All" - if All has just been added, set to All

mvcount('form.location')&gt;1 AND mvfind('form.location',"All")=0,mvfilter('form.location'!="All") - if something has been added after All, remove All

1==1,'form.location' - otherwise , leave as is

Note that the case has to be all on one line otherwise you get an error

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-12-2020 11:13 AM 
      <input type="multiselect" token="location">
        <label>Select one or more location</label>
        <choice value="All">All</choice>
        <search>
          <query>index=abc | dedup location | fields location</query>
        </search>
        <fieldForLabel>location</fieldForLabel>
        <fieldForValue>location</fieldForValue>
        <prefix>(</prefix>
        <valuePrefix>location ="</valuePrefix>
        <valueSuffix>"</valueSuffix>
        <delimiter> OR </delimiter>
        <suffix>)</suffix>
        <default>All</default>
        <change>
          <eval token="form.location">case(mvcount('form.location')=0,"All",mvcount('form.location')&gt;1 AND mvfind('form.location',"All")&gt;0,"All",mvcount('form.location')&gt;1 AND mvfind('form.location',"All")=0,mvfilter('form.location'!="All"),1==1,'form.location')</eval>
          <eval token="location_choice">if(mvfind('form.location',"All")=0,"location=*",$location$)</eval>
        </change>
      </input>

Your query would use $location_choice$ to filter your results

0 Karma
Reply

jacortijo
Explorer
‎10-13-2020 04:33 AM

I tried once again and it does not work. every time I click in any value of the drop down box, the element seems to be added and removed from the input.

<input type="multiselect" token="location">
      <label>Select location</label>
      <fieldForLabel>location</fieldForLabel>
      <fieldForValue>location</fieldForValue>
      <search>
        <query>index=xxx | dedup location | table location | sort + location</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <valuePrefix>location="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <choice value="All">All</choice>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <change>
        <eval token="form.location">case(mvcount('form.location')=0,"All",mvcount('form.location')&gt;1 AND mvfind('form.location',"All")&gt;0,"All",mvcount('form.location')&gt;1 AND mvfind('form.location',"All")=0,mvfilter('form.location'!="All"),1==1,'form.location')</eval>
        <eval token="location_choice">if(mvfind('form.location',"All")=0,"location=*",$location$)</eval>
      </change>
    </input>
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-13-2020 04:46 AM

Try moving the 

<choice value="All">All</choice>

so it is above the search 

      <search>
        <query>index=xxx | dedup location | table location | sort + location</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>

That way, if it is there, it will be at index 0 which the case statement relies on

0 Karma
Reply

jacortijo
Explorer
‎10-13-2020 05:15 AM

The issue remains. I tried to simplify it with no luck either.

<change>
<eval token="location_choice">if(mvfind('form.location',"All")>=0,"location=*",$location$)</eval>
</change>

Reasoning: if All is part of the selection , location_choice is set to "location=*" otherwise $location$.

Unfortunately I get a really weird behaviour. It seems like the value of location_choice remains even after I removed the items in the input field. So the dashboard searches are using the old location_choice , very inconsistent behaviour.

could you confirm how does the input actually work? I select a value, the value get appended to the field and fires the change event . Then the eval tag just replace the field value with the result of the case clauses, right? In which moment all prefixes and suffixes are appended? only when the $location$ gets extracted in the second eval?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-13-2020 06:05 AM

The first eval with the case statement operates on the multivalue field associated with the multiselect dropdown and basically deals with whether All is selected or needs to be removed.

The second eval uses the token value built up by using the prefix, value prefix, value, value suffix, and suffix, and assigns the choice token to this string unless All is selected in which case it uses the * option.

The prefixes and suffixes etc. are always there, but just in the named token, not in the multi-value field associated with the multi-select dropdown.

0 Karma
Reply

jacortijo
Explorer
‎10-13-2020 05:45 AM

I finally solved it, far from perfect but it seems to work.

I basically remove all the change events and put a * as value for All.

It generated a not optimal query but it works at least.

 

  <input type="multiselect" token="location" searchWhenChanged="true">
      <label>Select location</label>
      <fieldForLabel>location</fieldForLabel>
      <fieldForValue>location</fieldForValue>
      <choice value="*">All</choice>
      <search>
        <query>index=xxx | dedup location | table location | sort + location</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <valuePrefix>location="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <prefix>(</prefix>
      <suffix>)</suffix>
    </input>

 Thanks for the support anyway!  

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...