Splunk Search

How do you add a static drop-down for specific field values with conditonal?

UMDTERPS
Communicator
System OS 
ABC Windows-Server-2016
ABC Windows-10-Enterprise
ABC Mac-OSX
DEF Windows Server-2016
DEF Windows Server-2012
DEF Red Hat v8.2 

Above is a little generic data that is in a CSV/lookup, there is a "System" and "OS" field. I have one drop-down that filters by a system that works by dynamically populating. I want to add another drop-down that is static, that filters by server/non-server:

Windows-10-Enterprise, OSX, etc would be "Non-Server"
Red Hat v8.2, WIndows Server-2012, Windows Server-2016, etc would be "Server".
* would be for all OS

I tried adding these as static options, but I can't seem to get it to work. Only "*" works for an all option.

Any ideas?

alt text

0 Karma
1 Solution

to4kawa
Ultra Champion
<form>
   <label>multi select</label>
   <search id="base">
     <query>| makeresults
| eval _raw="System,OS
ABC,Windows-Server-2016
ABC,Windows-10-Enterprise
ABC,Mac-OSX
DEF,Windows Server-2016
DEF,Windows Server-2012
DEF,RedHat v8.2"
| multikv forceheader=1
| table System OS
| eval SERVER=if(match(OS,"(?i)server|redhat"),"Server","non-Server")</query>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </search>
      <fieldset submitButton="false">
        <input type="dropdown" token="system">
       <label>System</label>
       <fieldForLabel>System</fieldForLabel>
       <fieldForValue>System</fieldForValue>
       <search base="base">
         <query>
 | dedup System</query>
       </search>
     </input>
     <input type="dropdown" token="server">
       <label>server</label>
       <fieldForLabel>SERVER</fieldForLabel>
       <fieldForValue>SERVER</fieldForValue>
       <search base="base">
         <query>| dedup SERVER</query>
       </search>
     </input>

   </fieldset>
   <row>
     <html>
       <p>result:</p><p>System token:$system$ </p><p>SERVER token:$server$</p>
     </html>
   </row>
   <row>
     <panel>
       <table>
         <search base="base">
           <query>| search System=$system$ AND SERVER=$server$</query>
         </search>
       </table>
     </panel>
   </row>
 </form>

View solution in original post

0 Karma

UMDTERPS
Communicator

Thanks for the reply, I'm trying to get two drop downs. One with a system name drop-down and another drop-down with "Server" and "Non-Server" as options to select. I want the system drop-down to populate the systems and the other drop-down to have "Server" and "Non-Server" options to select. So essentially, I want to combine your first two drop-downs into one. I attached a pic to show what I would like to do.

Any ideas?

alt text

0 Karma

to4kawa
Ultra Champion

I can't see your latest pic. how about updated my answer?

0 Karma

UMDTERPS
Communicator

I made a slight mod to the SPL/XML, but it works! THANKS! 😃

<form>
    <label>Dropdown Test 2</label>
    <search id="base">
      <query>| inputlookup system.csv
 | multikv forceheader=1
 | table System OS
| eval SERVER=if(match(OS,"(?i)server|Red Hat"),"Server","non-Server")</query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
    </search>
       <fieldset submitButton="false">
         <input type="dropdown" token="system">
        <label>System</label>
        <fieldForLabel>System</fieldForLabel>
        <fieldForValue>System</fieldForValue>
        <search base="base">
          <query>
  | dedup System</query>
        </search>
      </input>
      <input type="dropdown" token="server">
        <label>server</label>
        <fieldForLabel>SERVER</fieldForLabel>
        <fieldForValue>SERVER</fieldForValue>
        <search base="base">
          <query>| dedup SERVER</query>
        </search>
      </input>

    </fieldset>
    <row>
      <html>
        <p>result:</p><p>System token:$system$ </p><p>SERVER token:$server$</p>
      </html>
    </row>
    <row>
      <panel>
        <table>
          <search base="base">
            <query>| search System=$system$ AND SERVER=$server$</query>
          </search>
        </table>
      </panel>
    </row>
  </form>
0 Karma

to4kawa
Ultra Champion
<form>
   <label>multi select</label>
   <search id="base">
     <query>| makeresults
| eval _raw="System,OS
ABC,Windows-Server-2016
ABC,Windows-10-Enterprise
ABC,Mac-OSX
DEF,Windows Server-2016
DEF,Windows Server-2012
DEF,RedHat v8.2"
| multikv forceheader=1
| table System OS
| eval SERVER=if(match(OS,"(?i)server|redhat"),"Server","non-Server")</query>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </search>
      <fieldset submitButton="false">
        <input type="dropdown" token="system">
       <label>System</label>
       <fieldForLabel>System</fieldForLabel>
       <fieldForValue>System</fieldForValue>
       <search base="base">
         <query>
 | dedup System</query>
       </search>
     </input>
     <input type="dropdown" token="server">
       <label>server</label>
       <fieldForLabel>SERVER</fieldForLabel>
       <fieldForValue>SERVER</fieldForValue>
       <search base="base">
         <query>| dedup SERVER</query>
       </search>
     </input>

   </fieldset>
   <row>
     <html>
       <p>result:</p><p>System token:$system$ </p><p>SERVER token:$server$</p>
     </html>
   </row>
   <row>
     <panel>
       <table>
         <search base="base">
           <query>| search System=$system$ AND SERVER=$server$</query>
         </search>
       </table>
     </panel>
   </row>
 </form>
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...