Splunk Search

Set token from dropdown

smahuja
Explorer

Hi,

I have a dropdown with dynamic query

<input type="dropdown" token="clientId" searchWhenChanged="true">
<label>Integrator</label>
<fieldForLabel>client_id</fieldForLabel>
<fieldForValue>client</fieldForValue>
<search>
<query>basic search | lookup clients client_id as client_id OUTPUTNEW client_name client_id
| eval client = client_name +"(" + client_id +")" | dedup client
| table client</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<choice value="*">All</choice>
<default>*</default>
</input>

For display dropdown in dashboard, I want exactly like: clientName(Client_id) ex: Tester(123).

but in panel queries I want only clientId in a token, no clientName.

any help would be appreciated.

thanks !!!

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

That's what this does.

fieldForValue is client_id (not client as you had in you original post). This is the value that the token clientId is set to when the user selects the option, and this is what you use in the panel query.

fieldForLabel is the composite string you constructed from the client name with the client_id in brackets. This is what is displayed in the dropdown.

<input type="dropdown" token="clientId" searchWhenChanged="true">
<label>Integrator</label>
<fieldForLabel>client</fieldForLabel>
<fieldForValue>client_id</fieldForValue>
<search>
<query>basic search | lookup clients client_id as client_id OUTPUTNEW client_name client_id
| eval client = client_name +"(" + client_id +")" | dedup client
| table client_id client</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<choice value="*">All</choice>
<default>*</default>
</input>

How is this different to what you asked for?

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You need client and client_id in the table returned by the query and I think you have the label and value fields the wrong way around. Try something like this:

<input type="dropdown" token="clientId" searchWhenChanged="true">
<label>Integrator</label>
<fieldForLabel>client</fieldForLabel>
<fieldForValue>client_id</fieldForValue>
<search>
<query>basic search | lookup clients client_id as client_id OUTPUTNEW client_name client_id
| eval client = client_name +"(" + client_id +")" | dedup client
| table client_id client</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<choice value="*">All</choice>
<default>*</default>
</input>
0 Karma

smahuja
Explorer

thanks for the reply,

I want dropdown in a same way ->client_name(client_id) ,example: Smith(123)

but  in a token I only want client_id(123) not client_name(Smith), as I want to use in a panel query

 

<row>
<panel>
<chart>
<title>  Volume</title>
<search>
<query>Basic Search | search client_id="$clientId$" |eval URI1 = uri.....| timechart span="1m" count by URI1 usenull=f useother=f</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

That's what this does.

fieldForValue is client_id (not client as you had in you original post). This is the value that the token clientId is set to when the user selects the option, and this is what you use in the panel query.

fieldForLabel is the composite string you constructed from the client name with the client_id in brackets. This is what is displayed in the dropdown.

<input type="dropdown" token="clientId" searchWhenChanged="true">
<label>Integrator</label>
<fieldForLabel>client</fieldForLabel>
<fieldForValue>client_id</fieldForValue>
<search>
<query>basic search | lookup clients client_id as client_id OUTPUTNEW client_name client_id
| eval client = client_name +"(" + client_id +")" | dedup client
| table client_id client</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<choice value="*">All</choice>
<default>*</default>
</input>

How is this different to what you asked for?

0 Karma

smahuja
Explorer

Cool, Thanks..

Its working, sorry I misunderstood..

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...