Solved: Why is my dropdown not populating a field value as...

tkwaller · ‎12-07-2016

*Hello
I have a populating search of:

index=api host=*XXX* requestURI="/xxx/xx/xxx/*" xyz=true | rename clientIP AS clientip | lookup dnslookup clientip OUTPUT clienthost | transaction transactionId maxspan=10s | search "Inbound" OR "Outbound" | eval Proc=if(proc = "null", "NONE", proc) | stats count by Proc

the search returns logs like:

2016-12-07 12:00:38,285 INFO MessageProcessor-123 com.domain.platform.stuff.stuff - className=CookieBasedAuthHandler method=handleRequest js_request=true requestURI=/xxx/xxx/v3/123456789?mode=tools&ucm=true&proc=null requestMethod=GET transactionId=123456789 token_validation_status=success

2016-12-07 12:00:38,290 DEBUG PassThroughMessageProcessor-386 org.wso2.carbon.api.gateway.stuff.stuff.ExtensionHandler - Inbound API call from client to gateway:  appName=Application , userName=email@domain.com , transactionId=123456789, requestURI=/xxx/xxx/xx/123456789?mode=tools&ucm=true&proc=null , requestTime=Wed Dec 07 12:00:38 UTC 2016 , clientIP=xxx.xx.xxx

2016-12-07 12:00:38,301 DEBUG MessageProcessor-347 org.wso2.carbon.api.gateway.stuff.stuff - Outbound API call from gateway to client:  appName=Application , userName=email@domain.com , transactionId=123456789, requestURI=/xxx/xxx/xx/123456789?mode=tools&ucm=true&proc=null , requestTime=Wed Dec 07 12:00:38 UTC 2016 , statusCode=200 , EndPointURL=http://api-xxx.xxx.com/catalog-xxx/xx/xxxx

the field proc is what I would like to use in the dropdown. Currently its always the value of the literal "null" but will eventually be other values.

In the top search I eval'd the proc field, just to make sure what I was doing was working. So if proc was the literal null change it to NONEand if not use the value of proc which works but ideally I'd like to not use the eval.

Proc    count
NONE    259

but the dropdown never populates with this value.

Hers the dropdown code:

    <label>PROC</label>
    <search>
      <query>index=api host=*XXX* requestURI="/xxx/xx/xxx/*" ucm=true | rename clientIP AS clientip | lookup dnslookup clientip OUTPUT clienthost | transaction transactionId maxspan=10s | search "Inbound" OR "Outbound" | eval Proc=if(proc = "null", "NONE", proc) | stats count by Proc</query>
      <earliest>-7d@h</earliest>
      <latest>now</latest>
    </search>
    <fieldForLabel>ProcName</fieldForLabel>
    <fieldForValue>ProcName</fieldForValue>
  </input>

rjthibod · ‎12-07-2016

Add the following to the end of your query

... | rename Proc as ProcName | table ProcName

View solution in original post

rjthibod · ‎12-07-2016

Add the following to the end of your query

... | rename Proc as ProcName | table ProcName

tkwaller · ‎12-07-2016

Yes indeed that worked. So this was an issue with me not using the fieldForLabel or fieldForValue? So really it was creating the search and assigning the value to the fieldForValue field?

rjthibod · ‎12-07-2016

Yes, the field you want to use in the dropdown needs to match the value in fieldForValue, I pretty much always use the same field for "fieldForLabel" as you did.

tkwaller · ‎12-07-2016

I knew it was something easy I was missing, just needed some new eyes.
thanks!

rjthibod · ‎12-07-2016

No problem. Glad to be helpful.

Why is my dropdown not populating a field value as expected?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases