Splunk Search

How do you add a static drop-down for specific field values with conditonal?

UMDTERPS
Communicator
System OS 
ABC Windows-Server-2016
ABC Windows-10-Enterprise
ABC Mac-OSX
DEF Windows Server-2016
DEF Windows Server-2012
DEF Red Hat v8.2 

Above is a little generic data that is in a CSV/lookup, there is a "System" and "OS" field. I have one drop-down that filters by a system that works by dynamically populating. I want to add another drop-down that is static, that filters by server/non-server:

Windows-10-Enterprise, OSX, etc would be "Non-Server"
Red Hat v8.2, WIndows Server-2012, Windows Server-2016, etc would be "Server".
* would be for all OS

I tried adding these as static options, but I can't seem to get it to work. Only "*" works for an all option.

Any ideas?

alt text

0 Karma
1 Solution

to4kawa
Ultra Champion
<form>
   <label>multi select</label>
   <search id="base">
     <query>| makeresults
| eval _raw="System,OS
ABC,Windows-Server-2016
ABC,Windows-10-Enterprise
ABC,Mac-OSX
DEF,Windows Server-2016
DEF,Windows Server-2012
DEF,RedHat v8.2"
| multikv forceheader=1
| table System OS
| eval SERVER=if(match(OS,"(?i)server|redhat"),"Server","non-Server")</query>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </search>
      <fieldset submitButton="false">
        <input type="dropdown" token="system">
       <label>System</label>
       <fieldForLabel>System</fieldForLabel>
       <fieldForValue>System</fieldForValue>
       <search base="base">
         <query>
 | dedup System</query>
       </search>
     </input>
     <input type="dropdown" token="server">
       <label>server</label>
       <fieldForLabel>SERVER</fieldForLabel>
       <fieldForValue>SERVER</fieldForValue>
       <search base="base">
         <query>| dedup SERVER</query>
       </search>
     </input>

   </fieldset>
   <row>
     <html>
       <p>result:</p><p>System token:$system$ </p><p>SERVER token:$server$</p>
     </html>
   </row>
   <row>
     <panel>
       <table>
         <search base="base">
           <query>| search System=$system$ AND SERVER=$server$</query>
         </search>
       </table>
     </panel>
   </row>
 </form>

View solution in original post

0 Karma

UMDTERPS
Communicator

Thanks for the reply, I'm trying to get two drop downs. One with a system name drop-down and another drop-down with "Server" and "Non-Server" as options to select. I want the system drop-down to populate the systems and the other drop-down to have "Server" and "Non-Server" options to select. So essentially, I want to combine your first two drop-downs into one. I attached a pic to show what I would like to do.

Any ideas?

alt text

0 Karma

to4kawa
Ultra Champion

I can't see your latest pic. how about updated my answer?

0 Karma

UMDTERPS
Communicator

I made a slight mod to the SPL/XML, but it works! THANKS! 😃

<form>
    <label>Dropdown Test 2</label>
    <search id="base">
      <query>| inputlookup system.csv
 | multikv forceheader=1
 | table System OS
| eval SERVER=if(match(OS,"(?i)server|Red Hat"),"Server","non-Server")</query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
    </search>
       <fieldset submitButton="false">
         <input type="dropdown" token="system">
        <label>System</label>
        <fieldForLabel>System</fieldForLabel>
        <fieldForValue>System</fieldForValue>
        <search base="base">
          <query>
  | dedup System</query>
        </search>
      </input>
      <input type="dropdown" token="server">
        <label>server</label>
        <fieldForLabel>SERVER</fieldForLabel>
        <fieldForValue>SERVER</fieldForValue>
        <search base="base">
          <query>| dedup SERVER</query>
        </search>
      </input>

    </fieldset>
    <row>
      <html>
        <p>result:</p><p>System token:$system$ </p><p>SERVER token:$server$</p>
      </html>
    </row>
    <row>
      <panel>
        <table>
          <search base="base">
            <query>| search System=$system$ AND SERVER=$server$</query>
          </search>
        </table>
      </panel>
    </row>
  </form>
0 Karma

to4kawa
Ultra Champion
<form>
   <label>multi select</label>
   <search id="base">
     <query>| makeresults
| eval _raw="System,OS
ABC,Windows-Server-2016
ABC,Windows-10-Enterprise
ABC,Mac-OSX
DEF,Windows Server-2016
DEF,Windows Server-2012
DEF,RedHat v8.2"
| multikv forceheader=1
| table System OS
| eval SERVER=if(match(OS,"(?i)server|redhat"),"Server","non-Server")</query>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </search>
      <fieldset submitButton="false">
        <input type="dropdown" token="system">
       <label>System</label>
       <fieldForLabel>System</fieldForLabel>
       <fieldForValue>System</fieldForValue>
       <search base="base">
         <query>
 | dedup System</query>
       </search>
     </input>
     <input type="dropdown" token="server">
       <label>server</label>
       <fieldForLabel>SERVER</fieldForLabel>
       <fieldForValue>SERVER</fieldForValue>
       <search base="base">
         <query>| dedup SERVER</query>
       </search>
     </input>

   </fieldset>
   <row>
     <html>
       <p>result:</p><p>System token:$system$ </p><p>SERVER token:$server$</p>
     </html>
   </row>
   <row>
     <panel>
       <table>
         <search base="base">
           <query>| search System=$system$ AND SERVER=$server$</query>
         </search>
       </table>
     </panel>
   </row>
 </form>
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...