- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Dropdown populated by search ok, now how to set a ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dropdown populated by search ok, now how to set a token based on an alternate field
<input type="dropdown" token="tok_choice" searchWhenChanged="true">
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<search>
<query> ... | stats dc(field2) as field2number by host </query>
</search>
<change>
<condition match=" like($tok_choice$,"%") ">
<set token="show_another_panel">show</set>
<set token="another_result"> $result.field2number$ </set>
</condition>
</change>
</input>
The token for 'show_another_panel' is working just fine but the other token is treating the whole $result.field2number$ as full text including the $. The drop down is working as expected with fieldForLabel and fieldForValue.
I have tried the following.
<done>
<set token="another_result"> $result.field2number$ </set>
</done>
This sets the token to the field2number first row. The value does not update to the row based upon selecting a new host.
When selecting a new host, I want the token to update to the corresponding value of the alternate row. Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Within the change tag have you tried to reference the $label$ or $value$ from the dynamic search using these tokens?
<set token="show_another_panel">$label$</set>
<set token="another_result">$value$</set>
Here's a basic SimpleXML page with a dynamic dropdown and a couple HTML panels to show the value of the tokens being set:
<form version="1.1">
<label>Dropdown Test</label>
<fieldset submitButton="false">
<input type="dropdown" token="field1">
<label>field1</label>
<fieldForLabel>sourcetype</fieldForLabel>
<fieldForValue>source_dc</fieldForValue>
<search>
<query>index=_internal earliest=-6h | stats dc(source) as source_dc by sourcetype</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<change>
<set token="show_another_panel">$label$</set>
<set token="another_result">$value$</set>
</change>
</input>
</fieldset>
<row>
<panel>
<html>$show_another_panel$</html>
</panel>
<panel>
<html>$another_result$</html>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not exactly what I was looking for. I have the Label and Value mapped to field 1 as that is the user friendly value and unique. I have field 2 which means nothing to my users and is a varied value field.
The Label/Value combo feeds panel_A chart which works very well. I have panel_B chart which I would like powered from field2 without having to create a second drop down with the same values. Two for the price of one.
I am going to try and make the Label field a combo of the 2 and then set a token to a regex extraction from $Label which may just work. But I feel it's janky and cheating. I am hoping someone will have a much better idea.
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
