Splunk Search

Set token from dropdown

smahuja
Explorer

Hi,

I have a dropdown with dynamic query

<input type="dropdown" token="clientId" searchWhenChanged="true">
<label>Integrator</label>
<fieldForLabel>client_id</fieldForLabel>
<fieldForValue>client</fieldForValue>
<search>
<query>basic search | lookup clients client_id as client_id OUTPUTNEW client_name client_id
| eval client = client_name +"(" + client_id +")" | dedup client
| table client</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<choice value="*">All</choice>
<default>*</default>
</input>

For display dropdown in dashboard, I want exactly like: clientName(Client_id) ex: Tester(123).

but in panel queries I want only clientId in a token, no clientName.

any help would be appreciated.

thanks !!!

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

That's what this does.

fieldForValue is client_id (not client as you had in you original post). This is the value that the token clientId is set to when the user selects the option, and this is what you use in the panel query.

fieldForLabel is the composite string you constructed from the client name with the client_id in brackets. This is what is displayed in the dropdown.

<input type="dropdown" token="clientId" searchWhenChanged="true">
<label>Integrator</label>
<fieldForLabel>client</fieldForLabel>
<fieldForValue>client_id</fieldForValue>
<search>
<query>basic search | lookup clients client_id as client_id OUTPUTNEW client_name client_id
| eval client = client_name +"(" + client_id +")" | dedup client
| table client_id client</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<choice value="*">All</choice>
<default>*</default>
</input>

How is this different to what you asked for?

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You need client and client_id in the table returned by the query and I think you have the label and value fields the wrong way around. Try something like this:

<input type="dropdown" token="clientId" searchWhenChanged="true">
<label>Integrator</label>
<fieldForLabel>client</fieldForLabel>
<fieldForValue>client_id</fieldForValue>
<search>
<query>basic search | lookup clients client_id as client_id OUTPUTNEW client_name client_id
| eval client = client_name +"(" + client_id +")" | dedup client
| table client_id client</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<choice value="*">All</choice>
<default>*</default>
</input>
0 Karma

smahuja
Explorer

thanks for the reply,

I want dropdown in a same way ->client_name(client_id) ,example: Smith(123)

but  in a token I only want client_id(123) not client_name(Smith), as I want to use in a panel query

 

<row>
<panel>
<chart>
<title>  Volume</title>
<search>
<query>Basic Search | search client_id="$clientId$" |eval URI1 = uri.....| timechart span="1m" count by URI1 usenull=f useother=f</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

That's what this does.

fieldForValue is client_id (not client as you had in you original post). This is the value that the token clientId is set to when the user selects the option, and this is what you use in the panel query.

fieldForLabel is the composite string you constructed from the client name with the client_id in brackets. This is what is displayed in the dropdown.

<input type="dropdown" token="clientId" searchWhenChanged="true">
<label>Integrator</label>
<fieldForLabel>client</fieldForLabel>
<fieldForValue>client_id</fieldForValue>
<search>
<query>basic search | lookup clients client_id as client_id OUTPUTNEW client_name client_id
| eval client = client_name +"(" + client_id +")" | dedup client
| table client_id client</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<choice value="*">All</choice>
<default>*</default>
</input>

How is this different to what you asked for?

0 Karma

smahuja
Explorer

Cool, Thanks..

Its working, sorry I misunderstood..

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...