Splunk dashboard: We have a dropdown with 2 possible values, option1 and option2.
Based on what user selects, (
option1: "A" or "B" ) gets added to both base-query and query OR
option2: ("X" or "Y") gets added to both base-query and query.
1. If user selects "option1", query is
<search id="base_query">
<query>index=logs sourcetype=ci "Shipping Finished" ("A" OR "B") ...</query>
<search base="base_query">
<query> | join some_field [ search index=logs sourcetype=ci | search ("A" OR "B") AND "Received complete status"
2. If user selects "option2", query is:
<search id="base_query">
<query>index=logs sourcetype=ci "Shipping Finished" ("X" OR "Y") ... </query>
<search base="base_query">
<query> | join some_field [ search index=logs sourcetype=ci | search ("X" OR "Y") AND "Received complete status"
Thanks ITWhisperer. This works. In the past I was adding () around my search strings due to which it didn't work.
Here's the correct way to define input dropdown, I added values as follows:
<input type="dropdown" token="ip_family" searchWhenChanged="true">
<label>IP Family</label>
<choice value=""Foo" OR "Bar"">option1</choice>
<choice value=""Boo" OR "Baz"">option2</choice>
Your dropdown sets a token to a string. This string is substituted into your searches whenever it is mentioned.
<search id="base_query">
<query>index=logs sourcetype=ci "Shipping Finished" $token$ ...</query>
<search base="base_query">
<query> | join some_field [ search index=logs sourcetype=ci | search $token$ AND "Received complete status"