Splunk Search

Unable to render the dropdown value in the search for the 1st time?

New Member

I have a dashboard that gets its base query from a dropdown option and that to run that base query takes the values from other dropdown and populate it and then run the search.

this is a part of the query:

<input type="dropdown" token="tokSearchOption1" searchWhenChanged="true">
<label>Select Query</label>
<choice value="Orginal">Original</choice>
<choice value="Filtered">Filtered</choice>
<condition value="Orginal">
<set token="tokSearchQuery">index=pos 
| fields host,_raw
| rex field=host "REG(?&lt;store_id&gt;\d{1,4})(?&lt;register_id&gt;\d{1,2})"| search store_id="$store_id$" AND register_id="$register_id$"

where store_id and register_id values are rendered from another dropdown. 

But when we 1st time hit the submit in the dashboard the query shows no result and this is due to the fact that it is not able to render the dropdown values from other ie. it is not taking the value from the store_id dropdown  and the register id dropdown.
This happens just for the 1st time the dashboard is loaded but then after on it works fine!
How to fix the issue?


Labels (1)
0 Karma


I had this happening, too.  In my case, I had a default value for the controlling token.  Because the <condition /> section is under <change/>, I wouldn't have set the token under <condition/> because there had been no change.

One way to force <change/> is to set no default, no initial value.  Alternatively, if you must have an initial or default value, you can set a dummy search at the beginning of Simple XML, e.g.,


    | makeresults
    | eval tokenSearchOption1 = $tokenSearchOption1$
    <condition match="tokenSearchOption1==&quot;Original&quot;">
      <set token="tokenSearchQuery">


Here is a test dashboard I set up when I was learning this:

  <label>Set token on load</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="master_token" searchWhenChanged="true">
      <label>master token</label>
      <choice value="Data Entry">Data entry</choice>
      <choice value="Click Only">Click only</choice>
      <choice value="Attachment">Attachment</choice>
      <default>Data Entry</default>
      | makeresults
      | fields - _time
      | eval master_token="$master_token$"
      <condition match="master_token==&quot;Data Entry&quot;">
        <set token="data_entry">True</set>
        <unset token="attachment"></unset>
        <unset token="click_only"></unset>
      <condition match="master_token==&quot;Click Only&quot;">
        <set token="click_only">True</set>
        <unset token="data_entry"></unset>
        <unset token="attachment"></unset>
      <condition match="master_token==&quot;Attachment&quot;">
        <set token="attachment">True</set>
        <unset token="click_only"></unset>
        <unset token="data_entry"></unset>
        <div>master_token: $master_token$</div>
        <div>data_entry: $data_entry$</div>
        <div>click_only: $click_only$</div>
        <div>attachment: $attachment$</div>


Tags (1)
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...