Splunk Search

How to use a multivalue field in a dropdown list?

jip31
Motivator

Hello

as you can see "type" field as 3 values : stand, vd or xe

if the "type" field is "vd" or "xe", I need to gather them in a field called "virt" but i dont succeed 

could you help me please?

 

    <input type="dropdown" token="type" searchWhenChanged="true">
      <label>Environnement source</label>
      <choice value="*">*</choice>
      <choice value="stand">stand</choice>
      <choice value="type=(vd OR xe)">virt</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>

 

 

Labels (1)
Tags (1)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jip31 

Change your search with this.

<search>
          <query>index=test $type$ </query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>

 

KV

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jip31 

Are you looking for something like this?

 

<input type="dropdown" token="type" searchWhenChanged="true">
      <label>Environnement source</label>
      <choice value="*">*</choice>
      <choice value="stand">stand</choice>
      <choice value="vd&quot; OR type=&quot;xe">virt</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <prefix>type="</prefix>
      <suffix>"</suffix>
    </input>

 

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

0 Karma

jip31
Motivator

Hi

it doesnt works

if i just put 

    <input type="dropdown" token="type" searchWhenChanged="true">
      <label>Environnement source</label>
      <choice value="*">*</choice>
      <choice value="standalone">stand</choice>
    </input>

it works

but with this it doent  works

 <input type="dropdown" token="type" searchWhenChanged="true">
      <label>Environnement source</label>
      <choice value="*">*</choice>
      <choice value="stand">standalone</choice>
          <choice value="vd&quot; OR type=&quot;xe">virt</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <prefix>type="</prefix>
      <suffix>"</suffix>
    </input>

 

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jip31 

Did you try this?

MY_SEARCH $type$ | OTHER SEARCH

 

My Sample Code:

<row>
    <panel>
      <table>
        <search>
          <query>| makeresults | eval type="stand,vd,xe",type=split(type,",") |stats count by type | search $type$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>

 

Can you please share your sample search code only?

KV 

0 Karma

jip31
Motivator

here is

 

 

<form>
    <input type="dropdown" token="type" searchWhenChanged="true">
      <label>Environnement source</label>
      <choice value="*">*</choice>
      <choice value="stand">stand</choice>
         <choice value="vd&quot; OR type=&quot;xe">virt</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <prefix>type="</prefix>
      <suffix>"</suffix>
    </input>
  <row>
    <panel>
      <single>
        <title>ww</title>
        <search>
          <query>index=test type="$type$"</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>

 

 

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@jip31 

Change your search with this.

<search>
          <query>index=test $type$ </query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>

 

KV

0 Karma

jip31
Motivator

perfect thanks

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...