Splunk Search

How to populate a dynamic drop-down with an eval case statement?

Engager

Hi!

So I have two drop-downs on my dashboard: one with a static list of options (dd1), and a second one which will populate based on the first choice made (dd2). In dd2, I am using the dynamic search option with the token from dd1:

eval values = case ( $dd1$ == "dd1v1", "dd2v1",  $dd1$ == "dd1v2",  "dd2v2")
fieldforvalues and fieldforlabels = values

The message below dd2 says it is "Populating", but then it continues to do so after a while before stating no results were found.
Any help, or alternative suggestions to this method would be greatly appreciated.

Using Splunk Enterprise 6.4 and Simple XML I believe. Thank you!

0 Karma
1 Solution

Revered Legend

Use this as dd2 search
Update - fixed typo

| gentimes start=-1 | eval values=ase ("$dd1$" == "dd1v1", "dd2v1",  "$dd1$" == "dd1v2",  "dd2v2",1=1,"Unknown") | table values

View solution in original post

Revered Legend

Use this as dd2 search
Update - fixed typo

| gentimes start=-1 | eval values=ase ("$dd1$" == "dd1v1", "dd2v1",  "$dd1$" == "dd1v2",  "dd2v2",1=1,"Unknown") | table values

View solution in original post

Engager

Everything is now working! I also was able to do a list of results which you will need to append

... | makemv values | mvexpand values | table values 

at the end in order to separate the list into separate values for the field

0 Karma

Engager

So this did the trick but it should be gentimes start = -1

However, I am still getting the issue where the token, $dd1$, is being replaced with the actual value in the dynamic search for dd2

0 Karma

Engager

Still hitting the same problem. I am pretty new to Splunk, so I'm not sure if this is related, but occasionally, the app will replace $dd1$ with the actual value? Like the search query will change from $dd1$ to dd1v.

Also thanks for the quick resposne!

0 Karma