Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

passing diffrent base search based on inputput dropdown values

smanojkumar
Contributor
4 weeks ago

Hello Splunkers,

   I'm having a inputput dropdown field, when i'm selecting "*" in that input dropdown field, I need to pass base search 1 to all searches in dashboard, when I'm selecting any other values apart from "*". I need to pass base search 2 to all searches in dashboard.

<form version="1.1">
<label>Clone sample</label>
<search>
<query>
| makeresults
| eval curTime=strftime(now(), "GMT%z")
| eval curTime=substr(curTime,1,6)
|rename curTime as current_time
</query>
<progress>
<set token="time_token_now">$result.current_time$</set>
</progress>
</search>
<search id="base_1">
<query>
index=2343306  sourcetype=logs*
| head 10000
| fields _time index Eventts IT _raw
| fillnull value="N/A"

</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
</search>
<search id="base_2">
<query>
index=2343306 sourcetype=logs*
| where isnotnull(CODE)
| head 10000
| fields _time index Eventts IT CODE _raw
| fillnull value="N/A"
</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
</search>
<fieldset submitButton="false" autoRun="true">
<input type="radio" token="field1">
<label>field1</label>
<choice value="All">All</choice>
<choice value="M1">M1</choice>
<choice value="A2">A2</choice>
<change>
<eval token="base_token">case("All"="field1", "base_1", "All"!="field1", "base_2")</eval>
</change>
</input>
<input type="time" token="time_token" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<title>table</title>
<search base="$base_token$">
<query>| table *</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>


I have tries passing token in input dropdown it dosent work, can you please help me in fixing this issue.


Thanks!

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
3 weeks ago

I have a suspicion that this is another homework assignment as multiple people posted exactly same questions at the same time.  But if there is a real use case, try assign search terms to token directly.  Like this:

 

<form version="1.1">
  <label>Pass codebase</label>
  <description>https://community.splunk.com/t5/Splunk-Search/passing-diffrent-base-search-based-on-inputput-dropdown-values/m-p/703055</description>
  <search>
    <query>
| makeresults
| eval curTime=strftime(now(), "GMT%z")
| eval curTime=substr(curTime,1,6)
|rename curTime as current_time
</query>
    <progress>
      <set token="time_token_now">$result.current_time$</set>
    </progress>
  </search>
  <fieldset submitButton="false" autoRun="true">
    <input type="radio" token="field1">
      <label>field1</label>
      <choice value="All">All</choice>
      <choice value="M1">M1</choice>
      <choice value="A2">A2</choice>
      <change>
        <eval token="base_token">case("All"==field1, "| makeresults | eval message = \"Give me an A\"", "All"!=field1, "| makeresults | eval message = \"Give me a B\"")</eval>
      </change>
    </input>
    <input type="time" token="time_token" searchWhenChanged="true">
      <label>Time Range</label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Panel 1</title>
      <table>
        <title>base_token: $base_token$</title>
        <search>
          <query>$base_token$
| eval do_i_get_A = if(match(message, "\bA$"), "Yes!", "naha")</query>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <title>Panel 2</title>
      <table>
        <title>base_token: $base_token$</title>
        <search>
          <query>$base_token$
| eval do_i_get_B = if(match(message, "\bB$"), "Yes!", "naha")</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

Here arethe  three selections:

Screen Shot 2024-10-31 at 1.03.19 AM.pngScreen Shot 2024-10-31 at 1.03.35 AM.png

Screen Shot 2024-10-31 at 1.03.50 AM.png

Note your original code has a syntax error in the case function.  But even without, tokens cannot be used to set XML attribute.  That's why it would not work as desired.  The above dashboard instead sets token value to the search string.  In the strict sense, this is inline search not chain search.  If you have many panels, the same search might be executed too many times.  If performance is very important, there may be a way to set token value to base searches' sid and use loadjob command.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...