- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Dropdown populated by search ok, now how to se...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dropdown populated by search ok, now how to set a token based on an alternate field
<input type="dropdown" token="tok_choice" searchWhenChanged="true">
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<search>
<query> ... | stats dc(field2) as field2number by host </query>
</search>
<change>
<condition match=" like($tok_choice$,"%") ">
<set token="show_another_panel">show</set>
<set token="another_result"> $result.field2number$ </set>
</condition>
</change>
</input>
The token for 'show_another_panel' is working just fine but the other token is treating the whole $result.field2number$ as full text including the $. The drop down is working as expected with fieldForLabel and fieldForValue.
I have tried the following.
<done>
<set token="another_result"> $result.field2number$ </set>
</done>
This sets the token to the field2number first row. The value does not update to the row based upon selecting a new host.
When selecting a new host, I want the token to update to the corresponding value of the alternate row. Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Within the change tag have you tried to reference the $label$ or $value$ from the dynamic search using these tokens?
<set token="show_another_panel">$label$</set>
<set token="another_result">$value$</set>
Here's a basic SimpleXML page with a dynamic dropdown and a couple HTML panels to show the value of the tokens being set:
<form version="1.1">
<label>Dropdown Test</label>
<fieldset submitButton="false">
<input type="dropdown" token="field1">
<label>field1</label>
<fieldForLabel>sourcetype</fieldForLabel>
<fieldForValue>source_dc</fieldForValue>
<search>
<query>index=_internal earliest=-6h | stats dc(source) as source_dc by sourcetype</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<change>
<set token="show_another_panel">$label$</set>
<set token="another_result">$value$</set>
</change>
</input>
</fieldset>
<row>
<panel>
<html>$show_another_panel$</html>
</panel>
<panel>
<html>$another_result$</html>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not exactly what I was looking for. I have the Label and Value mapped to field 1 as that is the user friendly value and unique. I have field 2 which means nothing to my users and is a varied value field.
The Label/Value combo feeds panel_A chart which works very well. I have panel_B chart which I would like powered from field2 without having to create a second drop down with the same values. Two for the price of one.
I am going to try and make the Label field a combo of the 2 and then set a token to a regex extraction from $Label which may just work. But I feel it's janky and cheating. I am hoping someone will have a much better idea.
Archived Metrics Now Available for APAC and EMEA realms
Detecting Remote Code Executions With the Splunk Threat Research Team
Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!
