Dashboards & Visualizations

6.3.1 populate dropdown with query results?

ramabu
Path Finder

Can anyone post a complete dashboard example, with a dropdown populated by query1, and a pie charting counts based on the dropdown selection? I've been trying for 2 days now to build this - but in vain.

I did find examples, but they were all snippets, and in mixed versions.

I have both searches at hand, both provide correct timely results when performed manually.
1.
query1 is: policyinfo | transaction ip | stats values(policy)
2.
assuming the dropdown selection is in $policyname$, then
query2 is: status=Match policy="$policyname$" | transaction ip | stats count by rule

Thanks
rama

Tags (1)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi ramabu,

take this run everywhere dashboard (assuming you have access to index=_internal) and you will get an idea how to do it:

<form>
  <label>Drop down pie</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="field1">
      <label>Please select:</label>
      <search>
        <query>index=_internal | stats count values(sourcetype) AS sourcetypes by sourcetype</query>
        <earliest>@d</earliest>
        <latest>now</latest>
      </search>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <choice value="*">all</choice>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=$field1$ | stats count by date_minute</query>
          <earliest>@d</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
</form>

Hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi ramabu,

take this run everywhere dashboard (assuming you have access to index=_internal) and you will get an idea how to do it:

<form>
  <label>Drop down pie</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="field1">
      <label>Please select:</label>
      <search>
        <query>index=_internal | stats count values(sourcetype) AS sourcetypes by sourcetype</query>
        <earliest>@d</earliest>
        <latest>now</latest>
      </search>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <choice value="*">all</choice>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=$field1$ | stats count by date_minute</query>
          <earliest>@d</earliest>
          <latest>now</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
</form>

Hope this helps ...

cheers, MuS

ramabu
Path Finder

Oh, MuS! Thank you very much! that was quick and to the point!

For anyone who may be referencing this --
A.
I could not use the single-column result set I had [policyinfo | transaction ip | stats values(policy)] - had to rephrase it to something like the query in the example.

B.
I had to tweak the time constraints to get this to work in my case.

0 Karma

MuS
SplunkTrust
SplunkTrust

Nice you got this working now - feel free to accept the answer in this case, thanks 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...