Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

passing diffrent base search based on inputput dropdown values

smanojkumar
Contributor
‎10-29-2024 07:39 PM

Hello Splunkers,

   I'm having a inputput dropdown field, when i'm selecting "*" in that input dropdown field, I need to pass base search 1 to all searches in dashboard, when I'm selecting any other values apart from "*". I need to pass base search 2 to all searches in dashboard.

<form version="1.1">
<label>Clone sample</label>
<search>
<query>
| makeresults
| eval curTime=strftime(now(), "GMT%z")
| eval curTime=substr(curTime,1,6)
|rename curTime as current_time
</query>
<progress>
<set token="time_token_now">$result.current_time$</set>
</progress>
</search>
<search id="base_1">
<query>
index=2343306  sourcetype=logs*
| head 10000
| fields _time index Eventts IT _raw
| fillnull value="N/A"

</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
</search>
<search id="base_2">
<query>
index=2343306 sourcetype=logs*
| where isnotnull(CODE)
| head 10000
| fields _time index Eventts IT CODE _raw
| fillnull value="N/A"
</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
</search>
<fieldset submitButton="false" autoRun="true">
<input type="radio" token="field1">
<label>field1</label>
<choice value="All">All</choice>
<choice value="M1">M1</choice>
<choice value="A2">A2</choice>
<change>
<eval token="base_token">case("All"="field1", "base_1", "All"!="field1", "base_2")</eval>
</change>
</input>
<input type="time" token="time_token" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<title>table</title>
<search base="$base_token$">
<query>| table *</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>


I have tries passing token in input dropdown it dosent work, can you please help me in fixing this issue.


Thanks!

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-31-2024 01:14 AM

I have a suspicion that this is another homework assignment as multiple people posted exactly same questions at the same time.  But if there is a real use case, try assign search terms to token directly.  Like this:

 

<form version="1.1">
  <label>Pass codebase</label>
  <description>https://community.splunk.com/t5/Splunk-Search/passing-diffrent-base-search-based-on-inputput-dropdown-values/m-p/703055</description>
  <search>
    <query>
| makeresults
| eval curTime=strftime(now(), "GMT%z")
| eval curTime=substr(curTime,1,6)
|rename curTime as current_time
</query>
    <progress>
      <set token="time_token_now">$result.current_time$</set>
    </progress>
  </search>
  <fieldset submitButton="false" autoRun="true">
    <input type="radio" token="field1">
      <label>field1</label>
      <choice value="All">All</choice>
      <choice value="M1">M1</choice>
      <choice value="A2">A2</choice>
      <change>
        <eval token="base_token">case("All"==field1, "| makeresults | eval message = \"Give me an A\"", "All"!=field1, "| makeresults | eval message = \"Give me a B\"")</eval>
      </change>
    </input>
    <input type="time" token="time_token" searchWhenChanged="true">
      <label>Time Range</label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Panel 1</title>
      <table>
        <title>base_token: $base_token$</title>
        <search>
          <query>$base_token$
| eval do_i_get_A = if(match(message, "\bA$"), "Yes!", "naha")</query>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <title>Panel 2</title>
      <table>
        <title>base_token: $base_token$</title>
        <search>
          <query>$base_token$
| eval do_i_get_B = if(match(message, "\bB$"), "Yes!", "naha")</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

Here arethe  three selections:

Screen Shot 2024-10-31 at 1.03.19 AM.pngScreen Shot 2024-10-31 at 1.03.35 AM.png

Screen Shot 2024-10-31 at 1.03.50 AM.png

Note your original code has a syntax error in the case function.  But even without, tokens cannot be used to set XML attribute.  That's why it would not work as desired.  The above dashboard instead sets token value to the search string.  In the strict sense, this is inline search not chain search.  If you have many panels, the same search might be executed too many times.  If performance is very important, there may be a way to set token value to base searches' sid and use loadjob command.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...