Solved: How to auto-fill/refresh a filter?

andrehl · ‎08-06-2018

Hi Community!

I would like the filter named [Total Distinct Customer in 2017 //ignore and Total Distinct Customer in 2018 //ignore] ,as attached in the picture, to fill itself with the number in the single value panel without having the user to click on it.

Thanks before!

renjith_nair · ‎08-06-2018

@andrehl ,

You could use a token (set once the search is done) to set the value.

E.g.

<form>
  <fieldset submitButton="false">
    <input type="dropdown" token="sourcetype" searchWhenChanged="true">
      <label>sourcetype</label>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>|metadata type=sourcetypes|fields sourcetype</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="text" token="text">
      <label>Text</label>
      <!--Use the token which is set below as default vlaue of text box-->      
      <default>$mycount$</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <search>
          <query>index=_* sourcetype=$sourcetype$|stats count</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <!--set the token value to the field name . Here its count-->
          <done>
            <set token="mycount">$result.count$</set>
          </done>
        </search>
        <option name="drilldown">none</option> 
      </single>
    </panel>
  </row>
</form>

Happy Splunking!

View solution in original post

renjith_nair · ‎08-06-2018

@andrehl ,

You could use a token (set once the search is done) to set the value.

E.g.

<form>
  <fieldset submitButton="false">
    <input type="dropdown" token="sourcetype" searchWhenChanged="true">
      <label>sourcetype</label>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>|metadata type=sourcetypes|fields sourcetype</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="text" token="text">
      <label>Text</label>
      <!--Use the token which is set below as default vlaue of text box-->      
      <default>$mycount$</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <search>
          <query>index=_* sourcetype=$sourcetype$|stats count</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <!--set the token value to the field name . Here its count-->
          <done>
            <set token="mycount">$result.count$</set>
          </done>
        </search>
        <option name="drilldown">none</option> 
      </single>
    </panel>
  </row>
</form>

Happy Splunking!

andrehl · ‎08-07-2018

my apology, I forgot to mention that my Time Range has to be an 'All Time'. Using your method, I can't seem to make it wait 'til the end of my search query.

renjith_nair · ‎08-07-2018

actually it does not matter because unless your search is completed, you don't have complete data and also the single value is also incomplete. So as soon as your result is complete, the value is being automatically shown in text box as well. You could use progress also instead of done but as mentioned its not the final result

Happy Splunking!

andrehl · ‎08-07-2018

It worked like a charm! Thank you so much!
May I know where can I get all the XML references from?

renjith_nair · ‎08-07-2018

Here you go - http://docs.splunk.com/Documentation/Splunk/7.1.2/Viz/tokens

Happy Splunking!

How to auto-fill/refresh a filter?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...