Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Select all values from a dropdown input

danielsavage
New Member
‎07-04-2017 08:27 AM

At the moment I have a final dropdown input which has options for hosts already predetermined in it from previous dropdowns. When I select the "All" option (using *) in the final dropdown , instead of selecting all the hosts in the final dropdown, it selects all the hosts in the index file completely. How can I have an all option for just the hosts determined?

Tags (2)
0 Karma
Reply

niketn
Legend
‎07-04-2017 10:26 AM

@danielsavage, you might have to throw light on what kind of data is being added to your dropdown and whether it is static or dynamic through query. You will have to provide more information of the query that populated the dropdown.

Seems like your intent is to pass on a list of hosts to your query however, dropdown can pass on only one value unless you code dropdown's change event.

Following is run anywhere example using Splunk's _internal logs. You will notice All (Astrix) will find INFO, WARN and ERROR while All (Dropdown) will set only the values set through query which excludes INFO ie only WARN and ERROR.

<form>
  <label>Use all Dropdown values for search filter</label>
  <fieldset submitButton="false">
    <input type="time" token="selTime" searchWhenChanged="true">
      <label>Select Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="selLogLevel">
      <label>Select Log Level</label>
      <fieldForLabel>log_level</fieldForLabel>
      <fieldForValue>log_level</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd log_level!=INFO
| dedup log_level
| table log_level</query>
        <earliest>$selTime.earliest$</earliest>
        <latest>$selTime.latest$</latest>
      </search>
      <choice value="*">All (Astrix)</choice>
      <choice value="all_dd">All (Dropdown)</choice>
      <change>
        <condition value="all_dd">
          <set token="queryFilter">[search index=_internal sourcetype=splunkd log_level!=INFO earliest=$selTime.earliest$ latest=$selTime.latest$| dedup log_level | table log_level]</set>
        </condition>
        <condition>
          <set token="queryFilter">log_level="$value$"</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd $queryFilter$
| stats count by log_level</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

santosh_sshanbh
Path Finder
‎04-03-2018 06:44 AM

I tried like above given code but in my case I have to read all items of the drop down using a lookup so used below, 

  <label>Select Group Name</label>
  <fieldForLabel>GroupName</fieldForLabel>
  <fieldForValue>GroupName</fieldForValue>
  <search>
   <query>| inputlookup production_site_groups | search Region="$REGION$" SiteName="$SITENAME$" | sort GroupName | table GroupName </query>
  </search> 
  <choice value="all_dd">All</choice>
   <change>
     <condition value="all_dd">
       <set token="queryFilter">[search | inputlookup production_site_groups | search Region="$REGION$" SiteName="$SITENAME$" | sort GroupName | fields GroupName]</set>
     </condition>
     <condition>
       <set token="queryFilter">cn="$value$"</set>
     </condition>
   </change>
</input>

but getting below error in this case
Error in 'inputlookup' command: This command must be the first command of a search.

Any suggestion, how I can read the all items using inputlookup command?

0 Karma
Reply

santosh_sshanbh
Path Finder
‎04-03-2018 11:18 PM

Above option didn't worked. Let me give more information on my need. I have a lookup file production_site_groups as below:

Region Site Group
ASIA India Grpa
ASIA India Grpb
NA USA Grpc
NA USA Grpd

And 3 drop downs to select Region, Site & Group

Monitor Groups

<input type="dropdown" token="REGION" searchWhenChanged="true">
  <label>Select Region</label>
  <search>
    <query>| inputlookup production_site_groups | dedup Region | sort Region | fields Region</query>
  </search>
  <selectFirstChoice>false</selectFirstChoice>
  <fieldForLabel>Region</fieldForLabel>
  <fieldForValue>Region</fieldForValue>
  <default>NA</default>
</input>
<input type="dropdown" token="SITENAME" searchWhenChanged="true">
  <label>Select Site Name</label>
  <search>
    <query>| inputlookup production_site_groups | search Region="$REGION$" | dedup SiteName | sort SiteName | fields SiteName AppName GroupName</query>
  </search>
  <fieldForLabel>SiteName</fieldForLabel>
  <fieldForValue>SiteName</fieldForValue>
</input>
<input type="time" token="SELECTED_TIME" searchWhenChanged="true">
  <label>Select Time Range</label>
  <default>Last 7 days</default>
</input>
<input type="dropdown" token="GROUPNAME" searchWhenChanged="true">
  <label>Select Group Name</label>
  <fieldForLabel>GroupName</fieldForLabel>
  <fieldForValue>GroupName</fieldForValue>
  <search>
   <query>| inputlookup production_site_groups | search Region="$REGION$" SiteName="$SITENAME$" | sort GroupName | table GroupName </query>
  </search> 
  <choice value="all_dd">All</choice>
   <change>
     <condition value="all_dd">
       <set token="queryFilter">[| inputlookup production_site_groups | search Region="$REGION$" SiteName="$SITENAME$" | sort GroupName | table GroupName]</set>
     </condition>
     <condition>
       <set token="queryFilter">cn="$value$"</set>
     </condition>
   </change>
</input>


<panel>
  <title>Group Changes History -</title>
  <table>
    <search>
      <query>index="main" source="Log" $queryFilter$ | dedup _raw | rex max_match=0 "uid=(?&lt;GG_Event_Members&gt;[a-zA-Z0-9]*)" |  table

_time, cn
$SELECTED_TIME.earliest$
$SELECTED_TIME.latest$

20
none
none
1
0
0
0
1
true
true

This code works fine when individual item in the 3rd drop down is selected but when All is selected, its not returning any data. Ideally for All the search command should look like below when ASIA region and India site is selected in the first 2 drop downs.

index="main" source="Log" cn="Grpa" OR cn="Grpb"

0 Karma
Reply

niketn
Legend
‎04-03-2018 08:16 AM

@santosh_sshanbhag, Without having a context of your issue/use case, you don't need to prefix search in front of generating commands like inputlookup:

<set token="queryFilter">[| inputlookup production_site_groups | search Region="$REGION$" SiteName="$SITENAME$" | sort GroupName | fields GroupName]</set>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

santosh_sshanbh
Path Finder
‎04-03-2018 11:25 PM

I think the problem I am facinng is due to subsearch which creates AND of all values. Whereas I need to have OR condition for all subquery return values.

0 Karma
Reply

niketn
Legend
‎04-04-2018 12:53 AM

After fields GroupName add the following two pipes as well

 [| <yourSearchWithInputLookup>
| fields GroupName
| format
| table search]

Following is a run anywhere search to mimic your inner query similar to inputlookup. Please try out and confirm!

| makeresults 
| eval GroupName="abc;def" 
| makemv GroupName delim=";" 
| mvexpand GroupName 
| sort GroupName 
| fields GroupName 
| format 
| table search
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

santosh_sshanbh
Path Finder
‎04-04-2018 02:33 AM

Thanks a lot. Your solution worked for me. Only change I have to do is rename GroupName to cn which is the field to be checked.

0 Karma
Reply

niketn
Legend
‎04-04-2018 08:01 AM

@santosh_sshanbhag If it worked please do accept the answer and up vote the comments that helped 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

santosh_sshanbh
Path Finder
‎04-04-2018 10:29 PM

Your solution worked. Thanks. How can I accept this as answer?

0 Karma
Reply

niketn
Legend
‎04-04-2018 10:35 PM

@santosh_sshanbhag , Glad that you were able to find a working solution. I just noticed that you did not post this question. So you can not Accept the Answer. But you can definitely up vote the answer/comments that helped with the Up Arrow which shows up next to Answer/ comments (on hover).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

danielsavage
New Member
‎07-05-2017 12:38 AM

So the list of hosts in my dropdown is dynamic and always different. I was wondering if that is there any way I can pass the query that was used to determine the list of hosts instead of the * for all?

0 Karma
Reply

niketn
Legend
‎07-05-2017 03:25 AM

Hi, whatever query populates your dynamic list of hosts, the same should be passed on as $queryFilter$ query when you choose option to use dynamically populated hosts to your actual query.

I have retained All Asterix (*) to still show all hosts, but you should notice that I have separately coded All (Dropdown) using all_dd value.

Following condition in dropdown change event is passing the filter query as you have requested (you need to replace with your query used to populate hosts)

     <condition value="all_dd">
       <set token="queryFilter">[search index=_internal sourcetype=splunkd log_level!=INFO earliest=$selTime.earliest$ latest=$selTime.latest$| dedup log_level | table log_level]</set>
     </condition>

PS: If you want to select multiple hosts and pass on multiple host values as concatenated string to your base search you can also evaluate Multi Select input which will allow you to skip coding the change event. However, I dont think that is your use case.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎07-07-2017 10:12 AM

@danielsavage, were you able to try suggested code?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
li.common.scroll-to.top