Splunk Search

How to trigger search based on a dynamic dropdown input?

ByteFlinger
Engager

I am trying to create a dropdown box to allow the user to select a host category (Like backend or frontend) and then I want to create another dropdown box to select a specific host.

So far I have the following

<input type="dropdown" token="product" searchWhenChanged="true">
      <label>Select category</label>
      <choice value="*">*</choice>
      <default>*</default>
      <prefix>category="</prefix>
      <suffix>"</suffix>
      <change>
        <unset token="form.host"></unset>
      </change>
      <search>
        <query>| inputlookup host_table | stats count by category</query>
      </search>
      <fieldForLabel>category</fieldForLabel>
      <fieldForValue>category</fieldForValue>
    </input>
    <input type="dropdown" token="color" searchWhenChanged="true">
      <label>Select Color</label>
      <search>
        <query>sourcetype = "somesourcetype" [| inputlookup category | search $category$ | fields host ] | stats count by host</query>
        <earliest>0</earliest>
      </search>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <default>*</default>
      <choice value="*">*</choice>
    </input>

That is followed by a graph which makes a simple search to show an event count for a specific log in that host

sourcetype="somesourcetype" host=$host$ | rex field=source max_match=40 ".*/(?<appname>.+)\.log" | timechart count by appname

So the idea here is that when the user changes a category, it will reset the host dropdown box since each category will have different hosts, setting it to * so all hosts for that category are chosen by default and shown in the graph.

This works well if the host dropdown has a specific host selected and the user changes the category however the issue I am having is if the host dropdown is *, changing the category dropdown to any value (frontend, backend or *) will not change the graphs (But will properly repopulate the host dropdown with only the hosts available for that category).

Does anybody knows why this happens and how to fix it?

Tags (3)
0 Karma
1 Solution

somesoni2
Revered Legend

Change your panel search like this

sourcetype="somesourcetype" [| inputlookup category | search $category$ AND  host=$host$  | fields host ]  | rex field=source max_match=40 ".*/(?<appname>.+)\.log" | timechart count by appname

When you select * , the panel search can't differentiate based on category, so need to add logic that will take both category and host dropdown value into consideration.

View solution in original post

somesoni2
Revered Legend

Change your panel search like this

sourcetype="somesourcetype" [| inputlookup category | search $category$ AND  host=$host$  | fields host ]  | rex field=source max_match=40 ".*/(?<appname>.+)\.log" | timechart count by appname

When you select * , the panel search can't differentiate based on category, so need to add logic that will take both category and host dropdown value into consideration.

ByteFlinger
Engager

Thank you.

I suspected this was the issue however the problem is that category is just a value in a lookup table and not something mapped to the actual host.

I am quite new to Splunk and I am not even certain yet how to go about creating such a category to host mapping (maybe the Splunk forwarder could send this information in each server?) so for now I created a simple static lookup table with the mapping between category and host.

With that lookup table the way I see to solve this would be to map the "*" value in the host dropdown to a dynamically generated query which returns a list of the hosts for that category. Something like this

(host="host1" OR host="host2")

which I could inject in the panel query however I have no idea how to go about generating such a query from a list of hosts. Any pointers?

Any feedback would be welcome.

0 Karma

somesoni2
Revered Legend

It might not work very well if the number of hosts are too big. But give this a try (xml code for host dropdown, replace your current query with tstats which is more efficient for this kind of query i.e. querying based on metadata like host/source/sourcetype etc.)

   <label>Select Color</label>
   <search>
     <query>| tstats count WHERE sourcetype = "somesourcetype" [| inputlookup category | search $category$ | fields host ]  by host | table host | eval hostvalue="host=".host | appendpipe [| stats values(hostvalue) as search | format | rename search as hostvalue | eval host="*" ]</query>
     <earliest>0</earliest>
   </search>
   <fieldForLabel>host</fieldForLabel>
   <fieldForValue>hostvalue</fieldForValue>
   <default>*</default>      
 </input>

Now your panel search will become this (instead of using host=$host$, you should be using just $host$ now)

sourcetype="somesourcetype" $host$  | rex field=source max_match=40 ".*/(?<appname>.+)\.log" | timechart count by appname
0 Karma

ByteFlinger
Engager

Whoa that was a lot more advanced than I expected 😄

I was doing some reading and found out about the format command which sounds like it could be of some use as well. I'll give it a try, thank you.

0 Karma

ByteFlinger
Engager

Nope. I removed the trigger from the category dropdown and it seems that the host dropdown is still updated when I change it (Which is nice) but the graphs still do not update on category changes if the host was * before the change

0 Karma

ByteFlinger
Engager

So after a bit of debugging I arrived at slightly different query than your

| tstats count WHERE sourcetype = "somesourcetype" [| inputlookup category | search $category$ | fields host ]  by host | table host | eval hostvalue="host=".host | appendpipe [| table host | format | rename search as hostvalue | eval host="*" ]

Yours wraps the entire host query in quotes (("host=host1") OR ("host=host2")) instead of ((host="host1") OR (host="host2"))

So now the host dropdown returns the correct query but I am back at the original issue. Changing the category dropdown unsets the host dropdown which looks like in splunk terms it means to set it to the dropdown default value (Which I have as *) and this apparently leads to $hosts$ listing all servers

I am able to confirm by creating a graph with the following query to simply list the current hosts

sourcetype="somesourcetype" $host$ | stats count by host

Am I missing something? Does it have anything to do with the unset trigger maybe?

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...