- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to make a search run or populate a dropdown if...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to make a search run or populate a dropdown if condition is met using simple xml?
So I have a dropdown called Repository, that populates a search and another dropdown called Namespace that has set choices. I only want there to be options if a certain Repository, "strawman" is chosen. Is there a way I can do that with populating search for the Namespace option? Here is my Simple XML, also the company I work for is really big on security so I can't do any Javascript and I'd rather stick to Simple XML
<input type="dropdown" token="repository" searchWhenChanged="true">
<label>Repository:</label>
<default>strawman</default>
<choice value="*">Any</choice>
<populatingSearch fieldForValue="repository" fieldForLabel="repository">
<![CDATA[index = git earliest="01/01/2009:20:00:00" latest=now() |table Data.payload.repository.name | dedup Data.payload.repository.name | sort Data.payload.repository.name | rename Data.payload.repository.name AS repository]]>
</populatingSearch>
</input>
<input type="dropdown" token="namespace" searchWhenChanged="true">
<label>Namespace: (Strawman Rep. Only)</label>
<default>*</default>
<choice value="*">Any</choice>
<choice value="Payments/">Payments</choice>
<choice value="Invoicing/">Invoicing</choice>
<choice value="Network/">Networking</choice>
</input>
Or is there a way I can have my searches just wildcard the $namespace$ option if $repository$ doesn't equal "strawman"?
Here is my search:
Index=git OR index=git "Data.payload.head_commit.modified{}" = "*$namespace$*" "Data.payload.head_commit.modified{}" = "*$file$*" "Data.payload.head_commit.modified{}" = "*$extension$" "Data.payload.repository.name" = "*$repository$*" | table Data.payload.head_commit.committer.name |stats count by Data.payload.head_commit.committer.name | dedup Data.payload.head_commit.committer.name | sort by -count | rename Data.payload.head_commit.committer.name as "Committer Name" | head 20
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this as your Namespace dropdown xml
<input type="dropdown" token="namespace" searchWhenChanged="true">
<label>Namespace: (Strawman Rep. Only)</label>
<default>*</default>
<choice value="*">Any</choice>
<populatingSearch fieldForValue="namespace" fieldForLabel="namespace">
<![CDATA[|gentimes start=-1 | eval repository="strawman" | table repository
| eval namespace="Payments Invoicing Networking" | makemv namespace | mvexpand namespace
| where repository="$repository$"]]>
</populatingSearch>
</input>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
i've got a similar scenario where i am trying to store current timestamp (EPOCH) into a KVStore.
however i cant seem to get it working.Some help will be appreciated
// Create Search manger to get current timestamp EPOCH TIME
var timestamp_search = new SearchManager({
"id": "timestamp_search",
"status_buckets": 0,
"latest_time": "$latest$",
"search": "| stats count as timestamp | eval timestamp = now()",
"earliest_time": "$earliest$",
"cancelOnUnload": true,
"app": utils.getCurrentApp(),
"auto_cancel": 90,
"preview": true,
"runWhenTimeIsUndefined": false
}, {tokens: true});
// retrieve data from search manager
var timestamp_search_obj = timestamp_search.data("preview");
timestamp_search_obj.on("data", function() {
var timestamp_search_result = timestamp_search_obj.data().rows;
});
// Create a dictionary to store the field names and values
var record = {
"time-stamp": timestamp_search_result
};
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Version 6.03
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What version of Splunk are you using?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No I do not
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have a submit button in your form/dashboard?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey that works great! Thank you! The only slight problem is if I choose "strawman" as the Repository and then choose a Namespace, but then I change the Repository to something else, the Namespace option populates no results as it should, but none of my other searches produce results because I think the searches still have a Namespace option filled out, when it should be "*". So basically how do I have it reset back to default? If possible
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any solution provided?
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
