Splunk Search

Set token from dropdown

smahuja
Explorer

Hi,

I have a dropdown with dynamic query

<input type="dropdown" token="clientId" searchWhenChanged="true">
<label>Integrator</label>
<fieldForLabel>client_id</fieldForLabel>
<fieldForValue>client</fieldForValue>
<search>
<query>basic search | lookup clients client_id as client_id OUTPUTNEW client_name client_id
| eval client = client_name +"(" + client_id +")" | dedup client
| table client</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<choice value="*">All</choice>
<default>*</default>
</input>

For display dropdown in dashboard, I want exactly like: clientName(Client_id) ex: Tester(123).

but in panel queries I want only clientId in a token, no clientName.

any help would be appreciated.

thanks !!!

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

That's what this does.

fieldForValue is client_id (not client as you had in you original post). This is the value that the token clientId is set to when the user selects the option, and this is what you use in the panel query.

fieldForLabel is the composite string you constructed from the client name with the client_id in brackets. This is what is displayed in the dropdown.

<input type="dropdown" token="clientId" searchWhenChanged="true">
<label>Integrator</label>
<fieldForLabel>client</fieldForLabel>
<fieldForValue>client_id</fieldForValue>
<search>
<query>basic search | lookup clients client_id as client_id OUTPUTNEW client_name client_id
| eval client = client_name +"(" + client_id +")" | dedup client
| table client_id client</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<choice value="*">All</choice>
<default>*</default>
</input>

How is this different to what you asked for?

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You need client and client_id in the table returned by the query and I think you have the label and value fields the wrong way around. Try something like this:

<input type="dropdown" token="clientId" searchWhenChanged="true">
<label>Integrator</label>
<fieldForLabel>client</fieldForLabel>
<fieldForValue>client_id</fieldForValue>
<search>
<query>basic search | lookup clients client_id as client_id OUTPUTNEW client_name client_id
| eval client = client_name +"(" + client_id +")" | dedup client
| table client_id client</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<choice value="*">All</choice>
<default>*</default>
</input>
0 Karma

smahuja
Explorer

thanks for the reply,

I want dropdown in a same way ->client_name(client_id) ,example: Smith(123)

but  in a token I only want client_id(123) not client_name(Smith), as I want to use in a panel query

 

<row>
<panel>
<chart>
<title>  Volume</title>
<search>
<query>Basic Search | search client_id="$clientId$" |eval URI1 = uri.....| timechart span="1m" count by URI1 usenull=f useother=f</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

That's what this does.

fieldForValue is client_id (not client as you had in you original post). This is the value that the token clientId is set to when the user selects the option, and this is what you use in the panel query.

fieldForLabel is the composite string you constructed from the client name with the client_id in brackets. This is what is displayed in the dropdown.

<input type="dropdown" token="clientId" searchWhenChanged="true">
<label>Integrator</label>
<fieldForLabel>client</fieldForLabel>
<fieldForValue>client_id</fieldForValue>
<search>
<query>basic search | lookup clients client_id as client_id OUTPUTNEW client_name client_id
| eval client = client_name +"(" + client_id +")" | dedup client
| table client_id client</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<choice value="*">All</choice>
<default>*</default>
</input>

How is this different to what you asked for?

0 Karma

smahuja
Explorer

Cool, Thanks..

Its working, sorry I misunderstood..

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...