I have a dashboard where I display a list of wines. I want to be able to incrementally add the wine name to a search criteria so the user can select the wines they are interested in. The wine name field is "Description", so I have the query like
index=... $wines$
$wines$ is unset the first time around and this drilldown will work for the first click
<set token="wines">$click.name2$=$click.value2|s$</set>
which sets Description="wine", depending on the click, but of course this overwrites $wines$ each click. In order to build up the criteria I tried using eval/if
I tried
<eval token="wines">if(match($wines$, "Description"), "AlreadySet", "$click.name2$"="$click.value2|s$")</eval>
but this results in $wines$ being 'false'.
I know that if I just put "XX" in the else part of the if, it returns that. I have tried no quotes, double $ sign and so, but I can't make it work. I also tried elements with no luck.
Any ideas on how I can achieve what I want, i.e. to ultimately get
Description="Wine 1" OR Description="Wine 2" OR Description="Wine 3"...
like a standard multi select dropdown. I'm not using that multi select as it's too slow - there are 10,000 wines...
I solved my original problem with the following
<set token="query">(Description=$row.Description|s$ Vintage=$row.Vintage|s$)</set>
<set token="wines">$wines$ OR $query$</set
and in the dashboard set wines to Description="XX", which saved having to use eval in the drilldown. Works nicely, other than I've not found a good way to "unclick" a particular wine/vintage to remove it from the currently selected wine set. Small problem though.
Would still be nice to understand why I couldn't get it to work with to eval statement.
I solved my original problem with the following
<set token="query">(Description=$row.Description|s$ Vintage=$row.Vintage|s$)</set>
<set token="wines">$wines$ OR $query$</set
and in the dashboard set wines to Description="XX", which saved having to use eval in the drilldown. Works nicely, other than I've not found a good way to "unclick" a particular wine/vintage to remove it from the currently selected wine set. Small problem though.
Would still be nice to understand why I couldn't get it to work with to eval statement.
I did something similar when I needed to search tens-of-thousands of software packages. I used 2 controls instead of one. The unusual control was a RegEx based pre-filter on the main multi-select control:
<label>Demo for whittling down a HUGE selection list to manageable chunk</label>
<description>This is not the exact answer that you were seeking, but may be a good alternative</description>
<fieldset autorun="false" submitButton="true">
<input type="text" token="filter_token" searchWhenChanged="false">
<label>RegEx filter for Wine Dropdown --></label>
<default>.</default>
</input>
<input type="dropdown" token="wine_token" searchWhenChanged="false">
<label>(<-- filtered) Wine Selector:</label>
<default>*</default>
<choice value="*">All</choice>
<fieldForLabel>wine</fieldForLabel>
<fieldForValue>wine</fieldForValue>
<search>
<query>| inputcsv winelist.csv | regex wine="(?i)$filter_token$" | table wine</query>
<earliest>-1s</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
The really nice thing about this is that it very natural and only the geeks who grok RegEx need to know it is RegEx under the hood; the plebes will just type white
and it will "just work". They will need to be taught to do red|white
and that will be good for 90+% of all users/searches and for those who need more, you get to geek mentor them into RegEx.
I like this as a cool idea. I've got a couple of filters, but was wondering how to make them more powerful as they are currently just raw text strings, so supporting regex would be really neat.
I solved my original problem with the following
<set token="query">(Description=$row.Description|s$ Vintage=$row.Vintage|s$)</set>
<set token="wines">$wines$ OR $query$</set>
and initially set wines to Description="XX", which saved having to use eval in the drilldown. Works nicely, other than I've not found a good way to "unclick" a particular wine/vintage to remove it from the currently selected wine set. Small problem though.
You should convert your comment to an answer and click Accept
to close the question.
Duh! I didn't see the wheel to convert to answer... but thanks anyway for your regex stuff. Handy!
New version has drill down in UI that would help you
Why is multi select too slow? That's the way to do it in Splunk in my humble opion. what search did you use to populate multiselect?
The problem is that it's an AWS t2 micro instance 😞 and can't cope with the 10k results, just locks up the browser.
index=... sourcetype=...
| stats count by Description
| sort Description
I've used them many times before and you're right, it's the normal way to go. As to "why..." - my performance analysis of Splunk is not great - other than the golden rule of never use "transaction or join" 🙂