Splunk Search

How to use a drop-down token to pick different searches to run and populate a chart panel?

yogas
New Member

I have a dashboard that is populated only by a drop-down input and a chart panel.

What I want to do is have several predefined searches stored somewhere, and then based on the token value I choose from the drop-down, choose the appropriate search and then populate that search into the chart panel.

If I can store two different searches inside variables, for example search01 and search02. these perform two very different searches...

And then for example, using the token $prod$ that I got from the drop-down, I do the following conditional:

if $prod$=1 then populate the chart panel with

<searchString>search01</searchString>

elseif $prod$=2 then populate the chart panel with

<searchString>search02</searchString>

any ideas would be much appreciated 🙂

cheers,
Yogas

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

This is how I would do the same thing:-

  1. Create a saved search for all the searches that you want to run. http://docs.splunk.com/Documentation/Splunk/6.2.4/Report/Createandeditreports
  2. In the dropdown input, provide the name of saved searches as value.
  3. Update your search for chart to use following (http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Savedsearch)

    | savedsearch $tokenname$

This way whatever user selects from dropdown, that savedsearch name appears here and ran.

View solution in original post

bmacias84
Champion
0 Karma

somesoni2
SplunkTrust
SplunkTrust

This is how I would do the same thing:-

  1. Create a saved search for all the searches that you want to run. http://docs.splunk.com/Documentation/Splunk/6.2.4/Report/Createandeditreports
  2. In the dropdown input, provide the name of saved searches as value.
  3. Update your search for chart to use following (http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Savedsearch)

    | savedsearch $tokenname$

This way whatever user selects from dropdown, that savedsearch name appears here and ran.

rey123
Path Finder

@somesoni2 , what if the saved search themselves took parameters? ie., the saved search output depended on the values of those parameters (among others), in the search. How could heen create such a search?

0 Karma

yogas
New Member

Hi somesoni2,
thank you for the answer, this turns out to be quite simple and works great 🙂

0 Karma

gfreitas
Builder

Hi Yogas,

I've done this once using search macros. I've created some searches eg: search01, search02 and search03 and when the user choose the dropdown the value of the dropdown is the search macro name and the dashboard just runs: $search_dropdown$

I also used this to add variables to the search macro and add some variable to the searches.

Hope this can help you!

rey123
Path Finder

@gfreitas, would you be able to explain your suggestion with an example? It would be MUCH clearer then for those of us trying to execute the same steps!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...