Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

wanted to populate mutiseect token with if else condition in panel

bapun18
Communicator
‎08-10-2020 01:31 PM

Hi
I have a dashboard, my requirement is like when a user will select a value Splunk in a multi-select, my pannel quey will search field=$token_of_multiselect$ or field="*report*" or field="*dashboard*".

By default my panel query is taking field="*splunk*" I wanted to add an OR condition to it so that when token value will be selected as splunk, it should add report and dashboard.

Example:
On below, component is returning Splunk and some other process value.

bapun18_0-1597090920020.png

index=abcde sourcetype=efghi (description="*$token_of_multiselect$*" OR description_1="*$token_of_multiselect$*")

above is my pannel query with some table in it, so when I will have Splunk selected on component, I want my query like below.

index=abcde sourcetype=efghi (description="*splunk*" OR description_1="*splunk*" OR description="*report*" OR description_1="*dashboard*" )

Please write sample code in answer.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎08-11-2020 09:32 AM

@bapun18 

 

Are you looking for this?

 


<input type="dropdown" token="smile">
<label>Dropdown</label>
<choice value="*">All</choice>
<choice value="A,B,C,D,E">Hey</choice>
<choice value="F,G,H,I,J,K">Hello</choice>
</input>



index=myindex [| makeresults | eval value="$smile$" | makemv value delim="," | mvexpand value | eval field_1="*".value."*",field_2="*".value."*" | fields field_1, field_2 | format] | REST OF THE SEARCH

 

View solution in original post

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎08-11-2020 09:32 AM

@bapun18 

 

Are you looking for this?

 


<input type="dropdown" token="smile">
<label>Dropdown</label>
<choice value="*">All</choice>
<choice value="A,B,C,D,E">Hey</choice>
<choice value="F,G,H,I,J,K">Hello</choice>
</input>



index=myindex [| makeresults | eval value="$smile$" | makemv value delim="," | mvexpand value | eval field_1="*".value."*",field_2="*".value."*" | fields field_1, field_2 | format] | REST OF THE SEARCH

 

Reply
Solved! Jump to solution

bapun18
Communicator
‎08-11-2020 11:58 AM

Thank Kamesh,
Worked for me. This is what I was looking for.

0 Karma
Reply
Solved! Jump to solution

impurush
Contributor
‎08-10-2020 01:39 PM

Hi,

Need some more information to understand the question exactly.

1. In the component drop-down, the data is hard-coded or generated dynamically?
2. If you can paste the drop-down XML, it would be easy to answer.

0 Karma
Reply
Solved! Jump to solution

bapun18
Communicator
‎08-10-2020 02:26 PM

Hi Here is the query I have used in dropped down. I want to put these reports, dashboard alert, etc to the pannel when Splunk is selected in the dropdown similarly I will define something for process1 so that whenever I will select process1, my defined fields will be searched in the panel along with the token.

index=abcde sourcetype=efghi | dedup sn_number | rex field=_raw "(?process1)" | rex field=_raw "(?splunk)" | rex field=_raw "(?report)" | rex field=_raw "(?dashboard)" | rex field=_raw "(?alert)" | dedup process | table Process | eval Process=case(process=="report","Splunk", process=="dashboard","Splunk", process=="alert","Splunk",process=="splunk","Splunk",1=1,"process1") | table Process

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎08-10-2020 03:09 PM

sample:

<form>
  <search id="base1">
    <query>| tstats count where index=_internal by sourcetype</query>
    <earliest>-7d@h</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <fieldset submitButton="false">
    <input type="multiselect" token="multiselect1">
      <label>sourcetype</label>
      <fieldForLabel>label</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search base="base1">
        <query>| table sourcetype | eval label=sourcetype</query>
      </search>
      <delimiter> OR </delimiter>
      <valuePrefix>sourcetype="</valuePrefix>
      <valueSuffix>"</valueSuffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search base="base1">
          <query>where $multiselect1$</query>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply
Solved! Jump to solution

bapun18
Communicator
‎08-11-2020 07:59 AM

Hi,
How would I pass the condition with token?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...