Solved: pass all the values of a dropdown to a token

anooshac · ‎05-24-2021

Hi all,

I have a dynamic drop down which has the values from a search query. I want to assign all those values to a token for <condition Label= "All">. Also i want those values to be delimited during the assignment. I have tried a lot and failed to implement. Can anyone please help me with this??

ITWhisperer · ‎05-24-2021

The first part sets up some dummy data. Then append and empty event, collect all the other values (this is added to all events but is removed later), set the label field (or whatever yours is called) to "All", and set the value field (or whatever yours is called) to the joined multivalue, delimiting by whatever you need for your value. Finally, limit the returned fields to be just the ones your want (not strictly necessary as you are specifying which field to use as the label and which to use as the value anyway).

| gentimes start=-1 increment=4h
| rename starttime as _time 
| fields _time
| streamstats count as row 
| eval label=mvindex(split("ABCDEF",""),(row - 1)%6)
| eval value=mvindex(split("pqrstu",""),(row - 1)%6)
| table label value


| append 
    [| makeresults]
| eventstats values(value) as allvalues
| fillnull value="All" label
| eval value=if(isnull(value),mvjoin(allvalues," "),value)
| fields label value
| table label value

You may want to play around with this so that the events are returned in the order you want e.g. All as the first item.

View solution in original post

ITWhisperer · ‎05-24-2021

Can you change your query used to populate the drop down so that an extra row is returned with the label field set to all and the value field set the all the other values delimited as you would like?

anooshac · ‎05-24-2021

Hi.. thank you for replying. I have tried combining the values using mvjoin command. But once these values are put together in a row with a delimiter, i was not able to display the other column which having individual values of the dropdown. Do you have any solution for this?

ITWhisperer · ‎05-24-2021

The first part sets up some dummy data. Then append and empty event, collect all the other values (this is added to all events but is removed later), set the label field (or whatever yours is called) to "All", and set the value field (or whatever yours is called) to the joined multivalue, delimiting by whatever you need for your value. Finally, limit the returned fields to be just the ones your want (not strictly necessary as you are specifying which field to use as the label and which to use as the value anyway).

| gentimes start=-1 increment=4h
| rename starttime as _time 
| fields _time
| streamstats count as row 
| eval label=mvindex(split("ABCDEF",""),(row - 1)%6)
| eval value=mvindex(split("pqrstu",""),(row - 1)%6)
| table label value


| append 
    [| makeresults]
| eventstats values(value) as allvalues
| fillnull value="All" label
| eval value=if(isnull(value),mvjoin(allvalues," "),value)
| fields label value
| table label value

You may want to play around with this so that the events are returned in the order you want e.g. All as the first item.

anooshac · ‎05-24-2021

Thank you for the answer. This works good for fixed values. any idea on how to do that for dynamic values? Because the dropdown in my dashboard has the values fetched by a query which depends on different files.

ITWhisperer · ‎05-24-2021

The first part should be replaced with your query that currently generates the labels and values for the dropdown.

anooshac · ‎05-24-2021

Yeah i got it.. In my query i only generate values.. Can it be done without the labels? Or is there any other technique by which i can assign all the values in the drop down to a single token with delimiter? Sorry for asking so many questions i am just learning the Splunk..

ITWhisperer · ‎05-24-2021

Your dashboard XML will have two elements <fieldForLabel> and <fieldForValue>. You probably have these set to be the same field name (the field returned by your query). Simply change one of them to another name and then in your search query, assign the new field name to the value of your existing field.

<fieldForLabel>originalField</fieldForLabel>
<fieldForValue>valueField</fieldForValue>

and

...search
| eval valueField=originalField

anooshac · ‎05-24-2021

Thank you.. I will try this..

do you any simple method to just assign all the values to the token?

<condition label="All">
<set token="Tok_all">"All the values should be should be assigned here"</set>

</condition>

Thank you in advance..

ITWhisperer · ‎05-25-2021

If I knew of a way to do this as you describe, I would probably have told you. There seems to be only one chance to generate dynamic content for the dropdown and that is through the search query, so you need to exploit that to give you all the dynamic content you require.

anooshac · ‎05-25-2021

I am sorry for that... Just asked if there are any methods for that.. Thank you so much for the help.. I'll try this only and implement it..

pass all the values of a dropdown to a token

token

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector