Splunk Search

How to make a search run or populate a dropdown if condition is met using simple xml?

dreamwork801
Path Finder

So I have a dropdown called Repository, that populates a search and another dropdown called Namespace that has set choices. I only want there to be options if a certain Repository, "strawman" is chosen. Is there a way I can do that with populating search for the Namespace option? Here is my Simple XML, also the company I work for is really big on security so I can't do any Javascript and I'd rather stick to Simple XML

<input type="dropdown" token="repository" searchWhenChanged="true">
  <label>Repository:</label>
  <default>strawman</default>
  <choice value="*">Any</choice>
  <populatingSearch fieldForValue="repository" fieldForLabel="repository">
    <![CDATA[index = git earliest="01/01/2009:20:00:00" latest=now() |table Data.payload.repository.name | dedup Data.payload.repository.name | sort Data.payload.repository.name | rename Data.payload.repository.name AS repository]]>
  </populatingSearch>
</input>
<input type="dropdown" token="namespace" searchWhenChanged="true">
  <label>Namespace: (Strawman Rep. Only)</label>
  <default>*</default>
  <choice value="*">Any</choice>
  <choice value="Payments/">Payments</choice>
  <choice value="Invoicing/">Invoicing</choice>
  <choice value="Network/">Networking</choice>
</input>

Or is there a way I can have my searches just wildcard the $namespace$ option if $repository$ doesn't equal "strawman"?

Here is my search:

Index=git OR index=git "Data.payload.head_commit.modified{}" = "*$namespace$*"  "Data.payload.head_commit.modified{}" = "*$file$*" "Data.payload.head_commit.modified{}" = "*$extension$" "Data.payload.repository.name" = "*$repository$*" | table Data.payload.head_commit.committer.name |stats count by Data.payload.head_commit.committer.name | dedup Data.payload.head_commit.committer.name |  sort by -count | rename Data.payload.head_commit.committer.name as "Committer Name" | head 20
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this as your Namespace dropdown xml

<input type="dropdown" token="namespace" searchWhenChanged="true">
  <label>Namespace: (Strawman Rep. Only)</label>
  <default>*</default>
  <choice value="*">Any</choice>
  <populatingSearch fieldForValue="namespace" fieldForLabel="namespace">
    <![CDATA[|gentimes start=-1 | eval repository="strawman" | table repository 
| eval namespace="Payments Invoicing Networking" | makemv namespace | mvexpand namespace
| where repository="$repository$"]]>
  </populatingSearch>
</input>

samaikins
New Member

Hi
i've got a similar scenario where i am trying to store current timestamp (EPOCH) into a KVStore.
however i cant seem to get it working.Some help will be appreciated

// Create Search manger to get current timestamp EPOCH TIME 
        var timestamp_search = new SearchManager({
            "id": "timestamp_search",
            "status_buckets": 0,
            "latest_time": "$latest$",
            "search": "| stats count as timestamp | eval timestamp = now()",
            "earliest_time": "$earliest$",
            "cancelOnUnload": true,
            "app": utils.getCurrentApp(),
            "auto_cancel": 90,
            "preview": true,
            "runWhenTimeIsUndefined": false
        }, {tokens: true});

// retrieve data from search manager      
            var  timestamp_search_obj = timestamp_search.data("preview");
            timestamp_search_obj.on("data", function() {
        var  timestamp_search_result =  timestamp_search_obj.data().rows;
             });

// Create a dictionary to store the field names and values
    var record = { 
                "time-stamp": timestamp_search_result
          }; 
0 Karma

dreamwork801
Path Finder

Version 6.03

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What version of Splunk are you using?

0 Karma

dreamwork801
Path Finder

No I do not

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Do you have a submit button in your form/dashboard?

0 Karma

dreamwork801
Path Finder

Hey that works great! Thank you! The only slight problem is if I choose "strawman" as the Repository and then choose a Namespace, but then I change the Repository to something else, the Namespace option populates no results as it should, but none of my other searches produce results because I think the searches still have a Namespace option filled out, when it should be "*". So basically how do I have it reset back to default? If possible

0 Karma

yeungto
New Member

Is there any solution provided?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...