Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

custom Dropdrown with "ALL'

nithys
Communicator
‎03-22-2025 01:38 PM

Hi 
I have dashboard with Data Entity drop down ,i want to add a drop drown "ALL" ,if i select ALL and hit submit button, 

It shows for all data api "/aws/lambda/api-data-$stageToken$-*"

<query>index=$indexToken$  source IN ("/aws/lambda/api-data-$stageToken$-$entityTokenFirst$") msg="data:invoke"

<form version="1.1" theme="dark" submitButton="true">
  <label>Stats</label>
  <fieldset>
    <input type="dropdown" token="indexToken1" searchWhenChanged="false">
      <label>Environment</label>
      <choice value="prod,prod">PROD</choice>
      <choice value="np,test">TEST</choice>
      <change>
        <eval token="stageToken">mvindex(split($value$,","),1)</eval>
        <eval token="indexToken">mvindex(split($value$,","),0)</eval>
      </change>
      <default>np,test</default>
    </input>
    <input type="dropdown" token="entityToken" searchWhenChanged="false">
      <label>Data Entity</label>
      <choice value=“name,0”>name</choice>
      <choice value="targetProduct,*-test-target">Target </choice>
      <choice value="product,*-test-product">Product </choice>
      <choice value=“address,0”>address</choice>
      <change>
        <!-- Split the value and set tokens for both parts -->
        <set token="entityLabel">$label$</set>
        <eval token="searchName">mvindex(split($value$, ","),1)</eval>
        <eval token="entityTokenFirst">mvindex(split($value$, ","),0)</eval>
      </change>
    </input>
    <input type="time" token="timeToken" searchWhenChanged="false">
      <label>Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Distinct Consumer Count</title>
      <single>
        <search>
          <query>index="np" source="**" 
| spath path=$stageToken$.nsp3s{} output=nsp3s
| mvexpand nsp3s
| spath input=nsp3s path=Name output=Name
| spath input=nsp3s path=DistinctAdminUserCount output=DistinctAdminUserCount
| search Name=$searchName$
| sort -_time
| head 1
| appendpipe
    [ stats count
      | eval Name=if(count==0 OR isnull("$searchName$") OR "$searchName$"=="", "No NSP", "$searchName$")
      | fields DistinctAdminUserCount
    ]</query>
          <earliest>$timeToken.earliest$</earliest>
          <latest>$timeToken.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
    <panel>
      <title>Event Processed</title>
      <single>
        <search>
          <query>index="$indexToken$" source="publish-$entityTokenFirst$-$stageToken$-nsp" 
* Published to NSP3 objectType* | stats count</query>
          <earliest>$timeToken.earliest$</earliest>
          <latest>$timeToken.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>

  </row>
  <row>
    <panel>
      <title>Total Request :</title>
      <single>
        <search>
          <query>index=$indexToken$  source IN ("/aws/lambda/api-data-$stageToken$-$entityTokenFirst$") msg="data:invoke" | stats count</query>
          <earliest>$timeToken.earliest$</earliest>
          <latest>$timeToken.latest$</latest>
          <refresh>60m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="height">317</option>
        <option name="rangeColors">["0xcba700","0xdc4e41"]</option>
        <option name="rangeValues">[200]</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.size">large</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  
  </row>
</form>

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

catdadof3
Explorer
‎03-22-2025 03:53 PM

Sorry, I'm a little confused by what you want. Do you want the $entityTokenFirst$ to be set to an * when the user selects ALL?

If so, add a condition to your change.

    <input type="dropdown" token="entityToken" searchWhenChanged="false">
      <label>Data Entity</label>
      <choice value="name,0">name</choice>
      <choice value="targetProduct,*-test-target">Target </choice>
      <choice value="product,*-test-product">Product </choice>
      <choice value="address,0">address</choice>
      <choice value="ALL">ALL</choice>
      <change>
        <condition value="ALL">
          <set token="entityTokenFirst">*</set>
        </condition>
        <condition>
          <!-- Split the value and set tokens for both parts -->
          <set token="entityLabel">$label$</set>
          <eval token="searchName">mvindex(split($value$, ","),1)</eval>
          <eval token="entityTokenFirst">mvindex(split($value$, ","),0)</eval>          
        </condition>
      </change>
    </input>

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-23-2025 01:58 AM

Why are you using IN when you only ever have one value? Try like this

<query>index=$indexToken$  source="/aws/lambda/api-data-$stageToken$-$entityTokenFirst$" msg="data:invoke" | stats count</query>
Reply
Solved! Jump to solution
Solution

catdadof3
Explorer
‎03-22-2025 03:53 PM

Sorry, I'm a little confused by what you want. Do you want the $entityTokenFirst$ to be set to an * when the user selects ALL?

If so, add a condition to your change.

    <input type="dropdown" token="entityToken" searchWhenChanged="false">
      <label>Data Entity</label>
      <choice value="name,0">name</choice>
      <choice value="targetProduct,*-test-target">Target </choice>
      <choice value="product,*-test-product">Product </choice>
      <choice value="address,0">address</choice>
      <choice value="ALL">ALL</choice>
      <change>
        <condition value="ALL">
          <set token="entityTokenFirst">*</set>
        </condition>
        <condition>
          <!-- Split the value and set tokens for both parts -->
          <set token="entityLabel">$label$</set>
          <eval token="searchName">mvindex(split($value$, ","),1)</eval>
          <eval token="entityTokenFirst">mvindex(split($value$, ","),0)</eval>          
        </condition>
      </change>
    </input>

 

0 Karma
Reply
Solved! Jump to solution

nithys
Communicator
‎03-23-2025 08:27 AM

@ITWhisperer @catdadof3 
yes want to set $entityTokenFirst$ to * when the user selects "ALL" in the dropdown,  observing that search queries are being executed automatically (auto-run) whenever you switch dropdown values or filters, without explicitly hitting the submit button.  looking for an alternative way to achieve this behavior without triggering auto-run searches.
HOw to apply multiple condition only when they hit a submit

<change>
        <condition value="ALL">
          <set token="entityTokenFirst">*</set>
        </condition>
        <condition>
          <!-- Split the value and set tokens for both parts -->
          <set token="entityLabel">$label$</set>
          <eval token="searchName">mvindex(split($value$, ","),1)</eval>
          <eval token="entityTokenFirst">mvindex(split($value$, ","),0)</eval>          
        </condition>
      </change>

below dashboard is working only when i hit submit button,no condition is being used below

<form>
<label>stats Clone metrics</label>
  <fieldset submitButton="true">
    <input type="dropdown" token="indexToken1" searchWhenChanged="false">
      <label>Environment</label>
      <choice value="prod,prod">PROD</choice>
      <choice value="np,test">TEST</choice>
      <change>
        <eval token="stageToken">mvindex(split($value$,","),1)</eval>
        <eval token="indexToken">mvindex(split($value$,","),0)</eval>
      </change>
      <default>np,test</default>
    </input>
    <input type="dropdown" token="entityToken" searchWhenChanged="false">
      <label>Data Entity</label>
      <choice value="target">Target </choice>
      <choice value="product">Product</choice>
      <choice value="*">ALL</choice>

    </input>
    <input type="time" token="timeToken" searchWhenChanged="false">
      <label>Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  </form>

  

Tags (1)
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...