Splunk Search

How do you add a static drop-down for specific field values with conditonal?

UMDTERPS
Communicator
System OS 
ABC Windows-Server-2016
ABC Windows-10-Enterprise
ABC Mac-OSX
DEF Windows Server-2016
DEF Windows Server-2012
DEF Red Hat v8.2 

Above is a little generic data that is in a CSV/lookup, there is a "System" and "OS" field. I have one drop-down that filters by a system that works by dynamically populating. I want to add another drop-down that is static, that filters by server/non-server:

Windows-10-Enterprise, OSX, etc would be "Non-Server"
Red Hat v8.2, WIndows Server-2012, Windows Server-2016, etc would be "Server".
* would be for all OS

I tried adding these as static options, but I can't seem to get it to work. Only "*" works for an all option.

Any ideas?

alt text

0 Karma
1 Solution

to4kawa
Ultra Champion
<form>
   <label>multi select</label>
   <search id="base">
     <query>| makeresults
| eval _raw="System,OS
ABC,Windows-Server-2016
ABC,Windows-10-Enterprise
ABC,Mac-OSX
DEF,Windows Server-2016
DEF,Windows Server-2012
DEF,RedHat v8.2"
| multikv forceheader=1
| table System OS
| eval SERVER=if(match(OS,"(?i)server|redhat"),"Server","non-Server")</query>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </search>
      <fieldset submitButton="false">
        <input type="dropdown" token="system">
       <label>System</label>
       <fieldForLabel>System</fieldForLabel>
       <fieldForValue>System</fieldForValue>
       <search base="base">
         <query>
 | dedup System</query>
       </search>
     </input>
     <input type="dropdown" token="server">
       <label>server</label>
       <fieldForLabel>SERVER</fieldForLabel>
       <fieldForValue>SERVER</fieldForValue>
       <search base="base">
         <query>| dedup SERVER</query>
       </search>
     </input>

   </fieldset>
   <row>
     <html>
       <p>result:</p><p>System token:$system$ </p><p>SERVER token:$server$</p>
     </html>
   </row>
   <row>
     <panel>
       <table>
         <search base="base">
           <query>| search System=$system$ AND SERVER=$server$</query>
         </search>
       </table>
     </panel>
   </row>
 </form>

View solution in original post

0 Karma

UMDTERPS
Communicator

Thanks for the reply, I'm trying to get two drop downs. One with a system name drop-down and another drop-down with "Server" and "Non-Server" as options to select. I want the system drop-down to populate the systems and the other drop-down to have "Server" and "Non-Server" options to select. So essentially, I want to combine your first two drop-downs into one. I attached a pic to show what I would like to do.

Any ideas?

alt text

0 Karma

to4kawa
Ultra Champion

I can't see your latest pic. how about updated my answer?

0 Karma

UMDTERPS
Communicator

I made a slight mod to the SPL/XML, but it works! THANKS! 😃

<form>
    <label>Dropdown Test 2</label>
    <search id="base">
      <query>| inputlookup system.csv
 | multikv forceheader=1
 | table System OS
| eval SERVER=if(match(OS,"(?i)server|Red Hat"),"Server","non-Server")</query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
    </search>
       <fieldset submitButton="false">
         <input type="dropdown" token="system">
        <label>System</label>
        <fieldForLabel>System</fieldForLabel>
        <fieldForValue>System</fieldForValue>
        <search base="base">
          <query>
  | dedup System</query>
        </search>
      </input>
      <input type="dropdown" token="server">
        <label>server</label>
        <fieldForLabel>SERVER</fieldForLabel>
        <fieldForValue>SERVER</fieldForValue>
        <search base="base">
          <query>| dedup SERVER</query>
        </search>
      </input>

    </fieldset>
    <row>
      <html>
        <p>result:</p><p>System token:$system$ </p><p>SERVER token:$server$</p>
      </html>
    </row>
    <row>
      <panel>
        <table>
          <search base="base">
            <query>| search System=$system$ AND SERVER=$server$</query>
          </search>
        </table>
      </panel>
    </row>
  </form>
0 Karma

to4kawa
Ultra Champion
<form>
   <label>multi select</label>
   <search id="base">
     <query>| makeresults
| eval _raw="System,OS
ABC,Windows-Server-2016
ABC,Windows-10-Enterprise
ABC,Mac-OSX
DEF,Windows Server-2016
DEF,Windows Server-2012
DEF,RedHat v8.2"
| multikv forceheader=1
| table System OS
| eval SERVER=if(match(OS,"(?i)server|redhat"),"Server","non-Server")</query>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </search>
      <fieldset submitButton="false">
        <input type="dropdown" token="system">
       <label>System</label>
       <fieldForLabel>System</fieldForLabel>
       <fieldForValue>System</fieldForValue>
       <search base="base">
         <query>
 | dedup System</query>
       </search>
     </input>
     <input type="dropdown" token="server">
       <label>server</label>
       <fieldForLabel>SERVER</fieldForLabel>
       <fieldForValue>SERVER</fieldForValue>
       <search base="base">
         <query>| dedup SERVER</query>
       </search>
     </input>

   </fieldset>
   <row>
     <html>
       <p>result:</p><p>System token:$system$ </p><p>SERVER token:$server$</p>
     </html>
   </row>
   <row>
     <panel>
       <table>
         <search base="base">
           <query>| search System=$system$ AND SERVER=$server$</query>
         </search>
       </table>
     </panel>
   </row>
 </form>
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...