Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Populating drop down with values generated from a search

mahbs
Path Finder
‎10-25-2017 03:55 AM

Hi Guys,

I've searched this question on splunk, however, the examples shown are a bit too complex for me to grasp, hence I'm asking here.
I have a search which returns lots of dates. Now what I want is two drop down fields:

Start Date: End Date:

These dropdown fields need to be populatd with the dates that are being returned from my search.

How would I go about going that?

Kind Regards
Mahbs

Tags (1)
0 Karma
Reply

niketn
Legend
‎10-25-2017 04:18 AM

@mahbs, For us to assist you better, can you add samples of what your Start Date and End Date look like in your Indexed Events? Also what are their field names.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

mahbs
Path Finder
‎10-25-2017 04:22 AM

hey, absolutely, time stamp is in this format: 2017-10-18 00:00:00

With regards to the time, I'm currently returning the dates through the following query:

index="XXX" sourcetype="XXX" earliest=-1d@d latest=-0d@d | eval ReportKey="Yesterday" | append [search index="XXX" sourcetype="XXX" earliest= -7d@d latest=now | eval ReportKey="Last Week"] | timechart span= avg("XXX") by ReportKey

This query returned to me the dates during a specific time period, only trouble is, I'm not sure where the date variable is to store the dates

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-25-2017 04:04 AM

Hi mahbs,
if you're meaning a time period for timestamps you have only to use a Time Input.

if Start_Date and Date are two fields of your sourcetype you can populate two inputs with a simple search

| my_search
| bin Start_Date span=1d
| eval Start_Date=strftime(Start_Date,"%d/%m/%Y")
| dedup Start_Date
| table Start_Date

.

| my_search
| bin End_Date span=1d
| eval End_Date =strftime(End_Date ,"%d/%m/%Y")
| dedup End_Date 
| table End_Date

so in your searches you can add as token

my_search Start_Date="$Start_Date$" End_Date="$End_Date$"
| ...

Bye.
Giuseppe

0 Karma
Reply

mahbs
Path Finder
‎10-25-2017 04:17 AM

Hey Guiseppe,

Not quite, what i want to do is populate my start date and ed date with all the dates that are returned from the search query. I dont have ay fields in my table labelled "start date" and "end date". What I want the user to be able to do is select a start date and an end date, and the graph should update to show data during that time period.

This is what I have at the moment:

  <label>Start Date</label>
  <search fieldForLabel="Dates" fieldForValue="s_d" index="test" sourcetype="csv">
</input>

I need to figure out a way of assigning the token to all the dates in my query.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-25-2017 04:24 AM

You can find the earliest and latest date using stats command, so you can populate your dropdown:

your_search
| stats earliest(_time) AS earliest latest(_time) AS latest

Bye.
Giuseppe

0 Karma
Reply

mahbs
Path Finder
‎10-25-2017 04:27 AM

Hey Giuseppe,

I think for this particular task, I would want all the dates to be populated. Just to give users that freedom to choose a date. How would I do that?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-25-2017 05:00 AM

try

my_search
| bin _time span=1d
| eval Start_Date =strftime(_time ,"%d/%m/%Y")
| dedup Start_Date  
| table Start_Date

Remeber, when you use tokens, to convert Start_Date and End_Date in epochtime, in othe words:
my_search earliest=strptime($Start_Date$,"%d/%m/%Y") latest=strptime($End_Date$,"%d/%m/%Y")

I was thinking to your question: why you don't use Time Picker?

Bye.
Giuseppe

0 Karma
Reply

mahbs
Path Finder
‎10-25-2017 05:32 AM

Hi Guissepe,

For the purpose of the task, drop down seems to be the best option. I found an example of someone trying to achieve the same thing as me, but the bit im getting confused on is the index bit:

index=main sourcetype=mainperfomance ChannelCode=* | head 1000 | stats count by ChannelCode | fields - count

Im basically trying to do the same thing, but i want to return all the dates

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-25-2017 06:15 AM

Hi mahbs,
I used this solution when I didn't have continuous event flow but only events in a few days and using time picker it was possible to select an empty period.
If you have continuous events it's better (and easier) to use Time Picker.
If you want to help your users, you can set some predefined time intervals (e.g. last 2 days, last 3 days).
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...