Splunk Search

Set token from dropdown

smahuja
Explorer

Hi,

I have a dropdown with dynamic query

<input type="dropdown" token="clientId" searchWhenChanged="true">
<label>Integrator</label>
<fieldForLabel>client_id</fieldForLabel>
<fieldForValue>client</fieldForValue>
<search>
<query>basic search | lookup clients client_id as client_id OUTPUTNEW client_name client_id
| eval client = client_name +"(" + client_id +")" | dedup client
| table client</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<choice value="*">All</choice>
<default>*</default>
</input>

For display dropdown in dashboard, I want exactly like: clientName(Client_id) ex: Tester(123).

but in panel queries I want only clientId in a token, no clientName.

any help would be appreciated.

thanks !!!

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

That's what this does.

fieldForValue is client_id (not client as you had in you original post). This is the value that the token clientId is set to when the user selects the option, and this is what you use in the panel query.

fieldForLabel is the composite string you constructed from the client name with the client_id in brackets. This is what is displayed in the dropdown.

<input type="dropdown" token="clientId" searchWhenChanged="true">
<label>Integrator</label>
<fieldForLabel>client</fieldForLabel>
<fieldForValue>client_id</fieldForValue>
<search>
<query>basic search | lookup clients client_id as client_id OUTPUTNEW client_name client_id
| eval client = client_name +"(" + client_id +")" | dedup client
| table client_id client</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<choice value="*">All</choice>
<default>*</default>
</input>

How is this different to what you asked for?

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You need client and client_id in the table returned by the query and I think you have the label and value fields the wrong way around. Try something like this:

<input type="dropdown" token="clientId" searchWhenChanged="true">
<label>Integrator</label>
<fieldForLabel>client</fieldForLabel>
<fieldForValue>client_id</fieldForValue>
<search>
<query>basic search | lookup clients client_id as client_id OUTPUTNEW client_name client_id
| eval client = client_name +"(" + client_id +")" | dedup client
| table client_id client</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<choice value="*">All</choice>
<default>*</default>
</input>
0 Karma

smahuja
Explorer

thanks for the reply,

I want dropdown in a same way ->client_name(client_id) ,example: Smith(123)

but  in a token I only want client_id(123) not client_name(Smith), as I want to use in a panel query

 

<row>
<panel>
<chart>
<title>  Volume</title>
<search>
<query>Basic Search | search client_id="$clientId$" |eval URI1 = uri.....| timechart span="1m" count by URI1 usenull=f useother=f</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

That's what this does.

fieldForValue is client_id (not client as you had in you original post). This is the value that the token clientId is set to when the user selects the option, and this is what you use in the panel query.

fieldForLabel is the composite string you constructed from the client name with the client_id in brackets. This is what is displayed in the dropdown.

<input type="dropdown" token="clientId" searchWhenChanged="true">
<label>Integrator</label>
<fieldForLabel>client</fieldForLabel>
<fieldForValue>client_id</fieldForValue>
<search>
<query>basic search | lookup clients client_id as client_id OUTPUTNEW client_name client_id
| eval client = client_name +"(" + client_id +")" | dedup client
| table client_id client</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<choice value="*">All</choice>
<default>*</default>
</input>

How is this different to what you asked for?

0 Karma

smahuja
Explorer

Cool, Thanks..

Its working, sorry I misunderstood..

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...