Solved: How do you add a static drop-down for specific fie...

UMDTERPS · ‎05-15-2020

System OS 
ABC Windows-Server-2016
ABC Windows-10-Enterprise
ABC Mac-OSX
DEF Windows Server-2016
DEF Windows Server-2012
DEF Red Hat v8.2

Above is a little generic data that is in a CSV/lookup, there is a "System" and "OS" field. I have one drop-down that filters by a system that works by dynamically populating. I want to add another drop-down that is static, that filters by server/non-server:

Windows-10-Enterprise, OSX, etc would be "Non-Server"
Red Hat v8.2, WIndows Server-2012, Windows Server-2016, etc would be "Server".
* would be for all OS

I tried adding these as static options, but I can't seem to get it to work. Only "*" works for an all option.

Any ideas?

to4kawa · ‎05-15-2020

<form>
   <label>multi select</label>
   <search id="base">
     <query>| makeresults
| eval _raw="System,OS
ABC,Windows-Server-2016
ABC,Windows-10-Enterprise
ABC,Mac-OSX
DEF,Windows Server-2016
DEF,Windows Server-2012
DEF,RedHat v8.2"
| multikv forceheader=1
| table System OS
| eval SERVER=if(match(OS,"(?i)server|redhat"),"Server","non-Server")</query>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </search>
      <fieldset submitButton="false">
        <input type="dropdown" token="system">
       <label>System</label>
       <fieldForLabel>System</fieldForLabel>
       <fieldForValue>System</fieldForValue>
       <search base="base">
         <query>
 | dedup System</query>
       </search>
     </input>
     <input type="dropdown" token="server">
       <label>server</label>
       <fieldForLabel>SERVER</fieldForLabel>
       <fieldForValue>SERVER</fieldForValue>
       <search base="base">
         <query>| dedup SERVER</query>
       </search>
     </input>

   </fieldset>
   <row>
     <html>
       <p>result:</p><p>System token:$system$ </p><p>SERVER token:$server$</p>
     </html>
   </row>
   <row>
     <panel>
       <table>
         <search base="base">
           <query>| search System=$system$ AND SERVER=$server$</query>
         </search>
       </table>
     </panel>
   </row>
 </form>

View solution in original post

UMDTERPS · ‎05-19-2020

Thanks for the reply, I'm trying to get two drop downs. One with a system name drop-down and another drop-down with "Server" and "Non-Server" as options to select. I want the system drop-down to populate the systems and the other drop-down to have "Server" and "Non-Server" options to select. So essentially, I want to combine your first two drop-downs into one. I attached a pic to show what I would like to do.

Any ideas?

to4kawa · ‎05-19-2020

I can't see your latest pic. how about updated my answer?

UMDTERPS · ‎05-20-2020

I made a slight mod to the SPL/XML, but it works! THANKS! 😃

<form>
    <label>Dropdown Test 2</label>
    <search id="base">
      <query>| inputlookup system.csv
 | multikv forceheader=1
 | table System OS
| eval SERVER=if(match(OS,"(?i)server|Red Hat"),"Server","non-Server")</query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
    </search>
       <fieldset submitButton="false">
         <input type="dropdown" token="system">
        <label>System</label>
        <fieldForLabel>System</fieldForLabel>
        <fieldForValue>System</fieldForValue>
        <search base="base">
          <query>
  | dedup System</query>
        </search>
      </input>
      <input type="dropdown" token="server">
        <label>server</label>
        <fieldForLabel>SERVER</fieldForLabel>
        <fieldForValue>SERVER</fieldForValue>
        <search base="base">
          <query>| dedup SERVER</query>
        </search>
      </input>

    </fieldset>
    <row>
      <html>
        <p>result:</p><p>System token:$system$ </p><p>SERVER token:$server$</p>
      </html>
    </row>
    <row>
      <panel>
        <table>
          <search base="base">
            <query>| search System=$system$ AND SERVER=$server$</query>
          </search>
        </table>
      </panel>
    </row>
  </form>

to4kawa · ‎05-15-2020

<form>
   <label>multi select</label>
   <search id="base">
     <query>| makeresults
| eval _raw="System,OS
ABC,Windows-Server-2016
ABC,Windows-10-Enterprise
ABC,Mac-OSX
DEF,Windows Server-2016
DEF,Windows Server-2012
DEF,RedHat v8.2"
| multikv forceheader=1
| table System OS
| eval SERVER=if(match(OS,"(?i)server|redhat"),"Server","non-Server")</query>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </search>
      <fieldset submitButton="false">
        <input type="dropdown" token="system">
       <label>System</label>
       <fieldForLabel>System</fieldForLabel>
       <fieldForValue>System</fieldForValue>
       <search base="base">
         <query>
 | dedup System</query>
       </search>
     </input>
     <input type="dropdown" token="server">
       <label>server</label>
       <fieldForLabel>SERVER</fieldForLabel>
       <fieldForValue>SERVER</fieldForValue>
       <search base="base">
         <query>| dedup SERVER</query>
       </search>
     </input>

   </fieldset>
   <row>
     <html>
       <p>result:</p><p>System token:$system$ </p><p>SERVER token:$server$</p>
     </html>
   </row>
   <row>
     <panel>
       <table>
         <search base="base">
           <query>| search System=$system$ AND SERVER=$server$</query>
         </search>
       </table>
     </panel>
   </row>
 </form>

How do you add a static drop-down for specific field values with conditonal?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?