Splunk Search

How do you add a static drop-down for specific field values with conditonal?

Communicator
System OS 
ABC Windows-Server-2016
ABC Windows-10-Enterprise
ABC Mac-OSX
DEF Windows Server-2016
DEF Windows Server-2012
DEF Red Hat v8.2 

Above is a little generic data that is in a CSV/lookup, there is a "System" and "OS" field. I have one drop-down that filters by a system that works by dynamically populating. I want to add another drop-down that is static, that filters by server/non-server:

Windows-10-Enterprise, OSX, etc would be "Non-Server"
Red Hat v8.2, WIndows Server-2012, Windows Server-2016, etc would be "Server".
* would be for all OS

I tried adding these as static options, but I can't seem to get it to work. Only "*" works for an all option.

Any ideas?

alt text

0 Karma
1 Solution

SplunkTrust
SplunkTrust
<form>
   <label>multi select</label>
   <search id="base">
     <query>| makeresults
| eval _raw="System,OS
ABC,Windows-Server-2016
ABC,Windows-10-Enterprise
ABC,Mac-OSX
DEF,Windows Server-2016
DEF,Windows Server-2012
DEF,RedHat v8.2"
| multikv forceheader=1
| table System OS
| eval SERVER=if(match(OS,"(?i)server|redhat"),"Server","non-Server")</query>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </search>
      <fieldset submitButton="false">
        <input type="dropdown" token="system">
       <label>System</label>
       <fieldForLabel>System</fieldForLabel>
       <fieldForValue>System</fieldForValue>
       <search base="base">
         <query>
 | dedup System</query>
       </search>
     </input>
     <input type="dropdown" token="server">
       <label>server</label>
       <fieldForLabel>SERVER</fieldForLabel>
       <fieldForValue>SERVER</fieldForValue>
       <search base="base">
         <query>| dedup SERVER</query>
       </search>
     </input>

   </fieldset>
   <row>
     <html>
       <p>result:</p><p>System token:$system$ </p><p>SERVER token:$server$</p>
     </html>
   </row>
   <row>
     <panel>
       <table>
         <search base="base">
           <query>| search System=$system$ AND SERVER=$server$</query>
         </search>
       </table>
     </panel>
   </row>
 </form>

View solution in original post

0 Karma

Communicator

Thanks for the reply, I'm trying to get two drop downs. One with a system name drop-down and another drop-down with "Server" and "Non-Server" as options to select. I want the system drop-down to populate the systems and the other drop-down to have "Server" and "Non-Server" options to select. So essentially, I want to combine your first two drop-downs into one. I attached a pic to show what I would like to do.

Any ideas?

alt text

0 Karma

SplunkTrust
SplunkTrust

I can't see your latest pic. how about updated my answer?

0 Karma

Communicator

I made a slight mod to the SPL/XML, but it works! THANKS! 😃

<form>
    <label>Dropdown Test 2</label>
    <search id="base">
      <query>| inputlookup system.csv
 | multikv forceheader=1
 | table System OS
| eval SERVER=if(match(OS,"(?i)server|Red Hat"),"Server","non-Server")</query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
    </search>
       <fieldset submitButton="false">
         <input type="dropdown" token="system">
        <label>System</label>
        <fieldForLabel>System</fieldForLabel>
        <fieldForValue>System</fieldForValue>
        <search base="base">
          <query>
  | dedup System</query>
        </search>
      </input>
      <input type="dropdown" token="server">
        <label>server</label>
        <fieldForLabel>SERVER</fieldForLabel>
        <fieldForValue>SERVER</fieldForValue>
        <search base="base">
          <query>| dedup SERVER</query>
        </search>
      </input>

    </fieldset>
    <row>
      <html>
        <p>result:</p><p>System token:$system$ </p><p>SERVER token:$server$</p>
      </html>
    </row>
    <row>
      <panel>
        <table>
          <search base="base">
            <query>| search System=$system$ AND SERVER=$server$</query>
          </search>
        </table>
      </panel>
    </row>
  </form>
0 Karma

SplunkTrust
SplunkTrust
<form>
   <label>multi select</label>
   <search id="base">
     <query>| makeresults
| eval _raw="System,OS
ABC,Windows-Server-2016
ABC,Windows-10-Enterprise
ABC,Mac-OSX
DEF,Windows Server-2016
DEF,Windows Server-2012
DEF,RedHat v8.2"
| multikv forceheader=1
| table System OS
| eval SERVER=if(match(OS,"(?i)server|redhat"),"Server","non-Server")</query>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </search>
      <fieldset submitButton="false">
        <input type="dropdown" token="system">
       <label>System</label>
       <fieldForLabel>System</fieldForLabel>
       <fieldForValue>System</fieldForValue>
       <search base="base">
         <query>
 | dedup System</query>
       </search>
     </input>
     <input type="dropdown" token="server">
       <label>server</label>
       <fieldForLabel>SERVER</fieldForLabel>
       <fieldForValue>SERVER</fieldForValue>
       <search base="base">
         <query>| dedup SERVER</query>
       </search>
     </input>

   </fieldset>
   <row>
     <html>
       <p>result:</p><p>System token:$system$ </p><p>SERVER token:$server$</p>
     </html>
   </row>
   <row>
     <panel>
       <table>
         <search base="base">
           <query>| search System=$system$ AND SERVER=$server$</query>
         </search>
       </table>
     </panel>
   </row>
 </form>

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!