Splunk Search

How to make a search run or populate a dropdown if condition is met using simple xml?

dreamwork801
Path Finder

So I have a dropdown called Repository, that populates a search and another dropdown called Namespace that has set choices. I only want there to be options if a certain Repository, "strawman" is chosen. Is there a way I can do that with populating search for the Namespace option? Here is my Simple XML, also the company I work for is really big on security so I can't do any Javascript and I'd rather stick to Simple XML

<input type="dropdown" token="repository" searchWhenChanged="true">
  <label>Repository:</label>
  <default>strawman</default>
  <choice value="*">Any</choice>
  <populatingSearch fieldForValue="repository" fieldForLabel="repository">
    <![CDATA[index = git earliest="01/01/2009:20:00:00" latest=now() |table Data.payload.repository.name | dedup Data.payload.repository.name | sort Data.payload.repository.name | rename Data.payload.repository.name AS repository]]>
  </populatingSearch>
</input>
<input type="dropdown" token="namespace" searchWhenChanged="true">
  <label>Namespace: (Strawman Rep. Only)</label>
  <default>*</default>
  <choice value="*">Any</choice>
  <choice value="Payments/">Payments</choice>
  <choice value="Invoicing/">Invoicing</choice>
  <choice value="Network/">Networking</choice>
</input>

Or is there a way I can have my searches just wildcard the $namespace$ option if $repository$ doesn't equal "strawman"?

Here is my search:

Index=git OR index=git "Data.payload.head_commit.modified{}" = "*$namespace$*"  "Data.payload.head_commit.modified{}" = "*$file$*" "Data.payload.head_commit.modified{}" = "*$extension$" "Data.payload.repository.name" = "*$repository$*" | table Data.payload.head_commit.committer.name |stats count by Data.payload.head_commit.committer.name | dedup Data.payload.head_commit.committer.name |  sort by -count | rename Data.payload.head_commit.committer.name as "Committer Name" | head 20
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this as your Namespace dropdown xml

<input type="dropdown" token="namespace" searchWhenChanged="true">
  <label>Namespace: (Strawman Rep. Only)</label>
  <default>*</default>
  <choice value="*">Any</choice>
  <populatingSearch fieldForValue="namespace" fieldForLabel="namespace">
    <![CDATA[|gentimes start=-1 | eval repository="strawman" | table repository 
| eval namespace="Payments Invoicing Networking" | makemv namespace | mvexpand namespace
| where repository="$repository$"]]>
  </populatingSearch>
</input>

samaikins
New Member

Hi
i've got a similar scenario where i am trying to store current timestamp (EPOCH) into a KVStore.
however i cant seem to get it working.Some help will be appreciated

// Create Search manger to get current timestamp EPOCH TIME 
        var timestamp_search = new SearchManager({
            "id": "timestamp_search",
            "status_buckets": 0,
            "latest_time": "$latest$",
            "search": "| stats count as timestamp | eval timestamp = now()",
            "earliest_time": "$earliest$",
            "cancelOnUnload": true,
            "app": utils.getCurrentApp(),
            "auto_cancel": 90,
            "preview": true,
            "runWhenTimeIsUndefined": false
        }, {tokens: true});

// retrieve data from search manager      
            var  timestamp_search_obj = timestamp_search.data("preview");
            timestamp_search_obj.on("data", function() {
        var  timestamp_search_result =  timestamp_search_obj.data().rows;
             });

// Create a dictionary to store the field names and values
    var record = { 
                "time-stamp": timestamp_search_result
          }; 
0 Karma

dreamwork801
Path Finder

Version 6.03

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What version of Splunk are you using?

0 Karma

dreamwork801
Path Finder

No I do not

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Do you have a submit button in your form/dashboard?

0 Karma

dreamwork801
Path Finder

Hey that works great! Thank you! The only slight problem is if I choose "strawman" as the Repository and then choose a Namespace, but then I change the Repository to something else, the Namespace option populates no results as it should, but none of my other searches produce results because I think the searches still have a Namespace option filled out, when it should be "*". So basically how do I have it reset back to default? If possible

0 Karma

yeungto
New Member

Is there any solution provided?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...