Splunk Search

What is the query to update table of a panel with values chosen from a dropdown?

surekhasplunk
Communicator

I have a drop-down to choose values of quarter.

<label>Choose Quarter</label>
  <choice value="Q">Quarter</choice>
  <choice value="Q1">Q1</choice>
  <choice value="Q2">Q2</choice>
  <choice value="Q3">Q3</choice>
  <choice value="Q4">Q4</choice>

Now if I choose Q2 one of my panels should get populated with all those values from abc.csv file where "Cuorse_Name"=H1
and if I choose Q4 then the same panel should get populated with values from the same abc.csv file where "Cuorse_Name"=H2

Please help with the query

Tags (3)
0 Karma
1 Solution

surekhasplunk
Communicator

Hi @kamlesh_vagela and @cusello

I had to tweak the query to add a where clause instead of search | where 'Course_name' == dp
and == for field comparison and now its working as expected.

But when for the condition where i have to get all rows am not getting that
I added selected=All and tried to assign * to it which is not returning any result.

| eval dp=case(selected=="Q1","H1 2017", selected=="Q2","H2 2017", selected=="All","*",1=1,0)

View solution in original post

0 Karma

surekhasplunk
Communicator

Hi @kamlesh_vagela and @cusello

I had to tweak the query to add a where clause instead of search | where 'Course_name' == dp
and == for field comparison and now its working as expected.

But when for the condition where i have to get all rows am not getting that
I added selected=All and tried to assign * to it which is not returning any result.

| eval dp=case(selected=="Q1","H1 2017", selected=="Q2","H2 2017", selected=="All","*",1=1,0)

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Great @surekhasplunk,

Please accept your answer and Upvote my and @cusello 's comment on previous post.

Thanks
Happy Splunking

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi surekhasplunk,
this is an example for your needs

<form>
  <label>test1</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="log_level">
      <label>log_level</label>
      <choice value="*">All</choice>
      <choice value="INFO">INFO</choice>
      <choice value="DEBUG">DEBUG</choice>
      <choice value="ERROR">ERROR</choice>
      <choice value="WARN">WARN</choice>
      <choice value="WARNING">WARNING</choice>
      <prefix>log_level=</prefix>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index=_internal $log_level$</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="list.drilldown">none</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</form>

In few words, in the dropdown you have to insert the values to search, in the prefix tag the field name and in the search the tag using $.

Bye.
Giuseppe

0 Karma

surekhasplunk
Communicator

Hi @cusello,

My dropdown works well for populating other tables in the dashboard where there is a column with value Q1 etc.
Its problem only when the file doesn't have that data.
so we have to manipulate Q1=H1 Q2=H2 Q3=H3 etc.

|inputlookup abc.csv |eval dp=case('$quarter$'=="Q1","H1", '$quarter$'=="Q2","H2",1=1,0)|search "Course_name"='$dp$' | chart count as field2 over field3 by field4

currently i am trying to use this query but not getting proper results $dp$ is not getting the value from case statement.
Pls help

0 Karma

gcusello
SplunkTrust
SplunkTrust

Let me understand:
Do you have a column called Cuorse_Name where sometimes there are values Q1, Q2, ... and sometimes H1, H2, ... but the column name is always the same
or do you have values Q1, Q2, in a column (e.g. Cuorse_Name1) and H1, H2 in another column (e,g, Cuorse_Name2),
which one?

In the first case you can use eval command

| eval Cuorse_Name=case(Cuorse_Name="H1","Q1",Cuorse_Name="H2","Q2",...)

in the second one, you have to use the same eval command and a coalesce function

| eval Cuorse_Name=coalesce(Cuorse_Name1,Cuorse_Name2)
| eval Cuorse_Name=case(Cuorse_Name="H1","Q1",Cuorse_Name="H2","Q2",...)

Bye.
Giuseppe

surekhasplunk
Communicator

Hi @cusello,

From Dropdown i can select Q1 or Q2 or Q3 or Q4

In my csv file i have a field called "Course Name" which have values like "H1 2017" "H2 2017" etc.
So if i choose Q1 i should search for "Course Name"=H1 and show rest of the items from the csv file.

Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @surekhasplunk,
put an asterisk in the value

<choice value="Course_Name=H1*">Q1</choice>

or in the search extract the quarter value

| eval Course_Name=substr(Course_Name,1,2)

and use it for filter.
If you can, don't use spaces in field names (Course Name), if you must, use double quotes ("Course Name")

Bye.
Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @surekhasplunk,
If you're satisfied, please accept and/or upvote answer.
Bye.
Giuseppe

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @surekhasplunk,

Can you please try this?

| inputlookup abc.csv 
| eval selected="$quarter$"
| eval dp=case(selected=="Q1","H1", selected=="Q2","H2",1=1,0) 
| search "Course_name"=dp 
| chart count as field2 over field3 by field4

surekhasplunk
Communicator

Hi @kamlesh_vagela,

I tried your way but i read somewhere eval creates fields and not variables/tokens
So here selected and dp two fields are getting created but the command search "Course_name"=dp is not working as expected to match the values of the fields.
Though both have got same values its not returning anyting.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...