Splunk Search

Prevent delay in wildcard being in dropdown selection with dynamic selections listed first

MichaelMcAleer
Path Finder

Hi Splunk Users,

I have a question around populating a dropdown menu with results from a table when a wildcard choice value is also an option. I don't have an issue creating the dropdown, or getting the wildcard value, but what I need to find out is how to make the default choice the first item returned from a list and not the wildcard ALL value. Example:

<fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="array_tok" searchWhenChanged="true">
      <label>Array Serial</label>
        <search>
          <query>`storage_array` | dedup array_id | table array_id | sort desc</query>
          <earliest>-48h@h</earliest>
          <latest>now</latest>
        </search>
      <choice value="*">ALL</choice>
      <fieldForLabel>array_id</fieldForLabel>
      <fieldForValue>array_id</fieldForValue>
    </input>
  </fieldset>

I have tried to use the selectFirstChoice tag and default tags here but with no success, I can get the dropdown to do nothing and no dashboard panels populate with data until the user makes a selection, but ideally I would like the top item in the search to be the default selection and the ALL choice to be the last at the bottom of the list. So when a user navigates to a dashboard, the first array_id returned is the default value for the dropdown.

Any ideas?
Thanks!

0 Karma

MichaelMcAleer
Path Finder

So after some discussion with Splunk there was a solution found which is very close to the method above with appending a search to the original query however the change in creating the wilcard * option removes the delay in getting it to appear:

<input type="dropdown" token="field1">
    <label>Drilldown Menu - Select First From List</label>
    <fieldForLabel>uri_path_label</fieldForLabel>
    <fieldForValue>uri_path</fieldForValue>
    <selectFirstChoice>true</selectFirstChoice>
    <search>
        <query>
            index=_internal uri_path=*
            | head 10
            | stats count by uri_path
            | eval uri_path_label=uri_path
            | append
            [| stats count | eval keys="*,a,foo,z"
            | makemv delim="," keys
            | mvexpand keys
            | eval uri_path_label = case(keys="*","All",true(),upper(substr(keys,1,1)) . substr(keys,2,len(keys)))
            | eval uri_path = keys]
        </query>
        <earliest>-5000@h</earliest>
        <latest>now</latest>
    </search>
</input>

niketn
Legend

@MichaelMcAleer, you can replace the | stats count with | makeresults | felds - _time. glad you found a working solution.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

MichaelMcAleer
Path Finder

Just implemented this in a wider test and im still seeing the delay so I will unmark it as accepted answer. If a workable solution comes back I will post it here

0 Karma

DalJeanis
Legend

I believe the issue is that in order for "ALL" to mean anything, there must be a difference between the fieldForLabel and fieldForValue.

Try this ...

 <input type="dropdown" token="array_tok" searchWhenChanged="true">
   <label>Array Serial</label>
     <search>
       <query>
`storage_array` 
| dedup array_id 
| table array_id 
| eval array_id_label = array_id 
| sort desc 
| append 
   [ | makeresults 
     | eval array_id="*" 
     | table array_id 
     | eval array_id_label="ALL"
   ]
       </query>
       <earliest>-48h@h</earliest>
       <latest>now</latest>
     </search>
   <fieldForLabel>array_id_label</fieldForLabel>
   <fieldForValue>array_id</fieldForValue>
   <selectFirstChoice>true</selectFirstChoice>
 </input>
0 Karma

MichaelMcAleer
Path Finder

Hi @DalJeanis, thanks for the response, the issue wasn't with getting ALL to appear in the list but instead the order in which is appeared when the dashboard is loaded. In the sample above, using append within the query in such a way creates a delay before ALL appears as an option.

0 Karma

niketn
Legend

@MichaelMcAleer, if you use Static Choice Option, it will always be present before Dynamic Choices. So using <selectFirstChoice> will give you All as selected option by default.
As a workaournd, You can remove dropdown static option All=* and add the same to your search itself using append. Then code the <change> event of the dropdown to set the token from dropdown.

Following is a run anywhere example:

<form>
  <label>Select First Choice</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="arrayDD" searchWhenChanged="true">
      <label>Array Serial</label>
      <search>
        <query>index=_internal sourcetype=splunkd log_level=*
        | dedup log_level
        | table log_level
        | append [| makeresults
        | eval log_level="All"
        | fields - _time]</query>
        <earliest>-48h@h</earliest>
        <latest>now</latest>
      </search>
      <fieldForLabel>log_level</fieldForLabel>
      <fieldForValue>log_level</fieldForValue>
      <selectFirstChoice>true</selectFirstChoice>
      <change>
        <condition value="All">
          <set token="array_tok">*</set>
        </condition>
        <condition>
          <set token="array_tok">$value$</set>          
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <div>
          Selected Dropdown Value: $array_tok$
        </div>
      </html>
    </panel>
  </row>
</form>

PS: I am not using the token from dropdown arrayDD instead the token from <change> event i.e. array_tok

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

MichaelMcAleer
Path Finder

@niketnilay Thanks for the quick response! I tried this in a clean dashboard and the 'All' option does not appear in the list initially, but only once a manual choice has been made by the user. Is this expected behaviour? It would be good to see here options for 'INFO', 'WARN', 'ERROR', and 'ALL' when the user first clicks the dropdown expand button

0 Karma

niketn
Legend

Hi @MichaelMcAleer, since All option has been switched from Static Option to Dynamic Search, it will show up only after the search query completes. So there is a delay in popping up All option, not that it is showing up after selection is made.

Please replace the run anywhere query in my example with your Dynamic query for dropdown and see how long it takes to complete and show All option.

<query>`storage_array` 
| dedup array_id 
| table array_id 
| sort desc
| append [| makeresults
         | eval array_id="All"
         | fields - _time]
</query>
       <earliest>-48h@h</earliest>
       <latest>now</latest>
     </search>
   <fieldForLabel>array_id</fieldForLabel>
   <fieldForValue>array_id</fieldForValue>
   <change>
     <condition value="All">
       <set token="array_tok">*</set>
     </condition>
     <condition>
       <set token="array_tok">$value$</set>          
     </condition>
   </change>
 </input>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

MichaelMcAleer
Path Finder

Tried this again, unfortunately the option for ALL doesn't display either until clicked, it goes against the principal design plan of ease of usability for the end-user so I might have to leave it if it is not possible to have ALL at the end of the dynamic list.

So is it just that static options are processed before dynamic options when constructing list options? I can get in contact with Splunk directly to see if there is a workaround I can apply within the app itself to change behavior

0 Karma

niketn
Legend

Strangely although it takes time, the All option shows up fine for me. I can try to explore other option. Surely reach out to Splunk Support Team. Meanwhile I will convert my answer to comment so that others can provide their inputs seeing this question as unanswered.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

MichaelMcAleer
Path Finder

Thanks very much for all the help! I will reach out to the Splunk team and if I get an answer/solution I will post it here for everyone to see

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...