- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- What is the query to update table of a panel with ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a drop-down to choose values of quarter.
<label>Choose Quarter</label>
<choice value="Q">Quarter</choice>
<choice value="Q1">Q1</choice>
<choice value="Q2">Q2</choice>
<choice value="Q3">Q3</choice>
<choice value="Q4">Q4</choice>
Now if I choose Q2 one of my panels should get populated with all those values from abc.csv file where "Cuorse_Name"=H1
and if I choose Q4 then the same panel should get populated with values from the same abc.csv file where "Cuorse_Name"=H2
Please help with the query
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @kamlesh_vagela and @cusello
I had to tweak the query to add a where clause instead of search | where 'Course_name' == dp
and == for field comparison and now its working as expected.
But when for the condition where i have to get all rows am not getting that
I added selected=All and tried to assign * to it which is not returning any result.
| eval dp=case(selected=="Q1","H1 2017", selected=="Q2","H2 2017", selected=="All","*",1=1,0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @kamlesh_vagela and @cusello
I had to tweak the query to add a where clause instead of search | where 'Course_name' == dp
and == for field comparison and now its working as expected.
But when for the condition where i have to get all rows am not getting that
I added selected=All and tried to assign * to it which is not returning any result.
| eval dp=case(selected=="Q1","H1 2017", selected=="Q2","H2 2017", selected=="All","*",1=1,0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great @surekhasplunk,
Please accept your answer and Upvote my and @cusello 's comment on previous post.
Thanks
Happy Splunking
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi surekhasplunk,
this is an example for your needs
<form>
<label>test1</label>
<fieldset submitButton="false">
<input type="dropdown" token="log_level">
<label>log_level</label>
<choice value="*">All</choice>
<choice value="INFO">INFO</choice>
<choice value="DEBUG">DEBUG</choice>
<choice value="ERROR">ERROR</choice>
<choice value="WARN">WARN</choice>
<choice value="WARNING">WARNING</choice>
<prefix>log_level=</prefix>
</input>
</fieldset>
<row>
<panel>
<event>
<search>
<query>index=_internal $log_level$</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="list.drilldown">none</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.sortDirection">asc</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
</event>
</panel>
</row>
</form>
In few words, in the dropdown you have to insert the values to search, in the prefix tag the field name and in the search the tag using $.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @cusello,
My dropdown works well for populating other tables in the dashboard where there is a column with value Q1 etc.
Its problem only when the file doesn't have that data.
so we have to manipulate Q1=H1 Q2=H2 Q3=H3 etc.
|inputlookup abc.csv |eval dp=case('$quarter$'=="Q1","H1", '$quarter$'=="Q2","H2",1=1,0)|search "Course_name"='$dp$' | chart count as field2 over field3 by field4
currently i am trying to use this query but not getting proper results $dp$ is not getting the value from case statement.
Pls help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let me understand:
Do you have a column called Cuorse_Name where sometimes there are values Q1, Q2, ... and sometimes H1, H2, ... but the column name is always the same
or do you have values Q1, Q2, in a column (e.g. Cuorse_Name1) and H1, H2 in another column (e,g, Cuorse_Name2),
which one?
In the first case you can use eval command
| eval Cuorse_Name=case(Cuorse_Name="H1","Q1",Cuorse_Name="H2","Q2",...)
in the second one, you have to use the same eval command and a coalesce function
| eval Cuorse_Name=coalesce(Cuorse_Name1,Cuorse_Name2)
| eval Cuorse_Name=case(Cuorse_Name="H1","Q1",Cuorse_Name="H2","Q2",...)
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @cusello,
From Dropdown i can select Q1 or Q2 or Q3 or Q4
In my csv file i have a field called "Course Name" which have values like "H1 2017" "H2 2017" etc.
So if i choose Q1 i should search for "Course Name"=H1 and show rest of the items from the csv file.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @surekhasplunk,
put an asterisk in the value
<choice value="Course_Name=H1*">Q1</choice>
or in the search extract the quarter value
| eval Course_Name=substr(Course_Name,1,2)
and use it for filter.
If you can, don't use spaces in field names (Course Name), if you must, use double quotes ("Course Name")
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @surekhasplunk,
If you're satisfied, please accept and/or upvote answer.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @surekhasplunk,
Can you please try this?
| inputlookup abc.csv
| eval selected="$quarter$"
| eval dp=case(selected=="Q1","H1", selected=="Q2","H2",1=1,0)
| search "Course_name"=dp
| chart count as field2 over field3 by field4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @kamlesh_vagela,
I tried your way but i read somewhere eval creates fields and not variables/tokens
So here selected and dp two fields are getting created but the command search "Course_name"=dp is not working as expected to match the values of the fields.
Though both have got same values its not returning anyting.
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
