How to create Dependent Multiselect filter in Splunk dashboard?

itnewbie — Tue, 15 Aug 2023 19:49:07 GMT

Hi I have a dashboard with multiple filters. I have a "customer" and "subsidiary" filter. I want the "customer" filter to display corresponding companies depending on the selection of "subsidiary" filter.

My query for the "customer" filter is as follow, currently it is showing all companies

index IN ("organization_a_company", "organization_b_company") | dedup name | fields name

For the "subsidiary" filter, it has a static input with

Name - Value ============ All - * OrgA - OrgA OrgB - OrgB

However, since the value of "subsidiary" is different from the actual index name. I need to perform eval case to map to corresponding indexes name. I tried something dynamic in "customer" filter like:

index IN ("organization_a", "organization_b") | eval $sub$ = "OrgA" <- the $sub$ token should come from the "subsidiary" filter, I am just testing here | eval filteredIndex = case($sub$ == "OrgA", "organization_a", $sub$ == "OrgB", "organization_b", 1=1, "organization_*") | search index IN ($filteredIndex$) | dedup name | fields name

but it didn't give any results. I tried follow the example here by using $$ but still no luck. And I don't think I can put the eval before the search right? but how can I make the index dynamic then. Thanks

Re: Dependent Multiselect filter in Splunk dashboard

gcusello — Tue, 15 Aug 2023 08:07:51 GMT

Hi @itnewbie,

I'd use for the subsidiary search thre fixed values (token called "sub"):

All: index=OrgA,
OrgA: index=OrgB
OrgB: index=OrgA OR index=OrgB

Then I'd use as search for the Customers:

$sub$ | dedup name | fields name

Ciao.

Giuseppe

topic Re: Dependent Multiselect filter in Splunk dashboard in Splunk Search

How to create Dependent Multiselect filter in Splunk dashboard?

Re: Dependent Multiselect filter in Splunk dashboard