@like2splunk while we can work with your approach I was suggesting on a simpler approach. Use Site as label and PBSController as value for the Dropdown. You would not condition block and also you need not have two panels for your Use case as the same can be handled in Single Panel

PS: While posting the code use the code button 101010 on Splunk Answers, this will post code without escaping special characters.

Try the following:

<form>
  <label>Saved Search Based on Token</label>
  <fieldset>
    <input type="dropdown" token="tok_controller">
      <label>Site Selection</label>
      <fieldForLabel>Site</fieldForLabel>
      <fieldForValue>PBSController</fieldForValue>
      <search>
        <query>| inputlookup Site_Mapping.csv | table Site , PBSController</query>
        <earliest>-1s</earliest>
        <latest>now</latest>
      </search>
      <change>
        <set token="host">$label$</set>
      </change>
    </input>
  </fieldset>
  <row depends="$tok_controller$">
    <panel>
      <title>Failure Rate Panel $tok_controller$</title>
      <chart>
        <search>
          <query>| savedsearch $tok_controller$_Failure_Rate host="$host$"
          </query>
          <earliest>-2w@w</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
      </chart>
    </panel>
  </row>
</form>

@niketnilay
Great thinking with putting the token in the title of the REPORT for savedsearch. That fixes by "condition" problem and indeed reduces the panels to one.

However, when I run the code as you've posted my dropdown complains "Duplicate values causing conflict" and I don't see all of my site names.

FYI - I keep trying to post the code properly but, for whatever reason, it truncates my post...

You can try the following query for your dropdown. However, do you have one to one mapping between Site and PBSController or not? If not you would need to describe the relation and also which field can be treated as primary with unique value.

| inputlookup Site_Mapping.csv | dedup Site , PBSController| table Site , PBSController

@niketnilay
That won't work. Each site is unique (>20) and there are only two types of controllers. I need to keep the association between Site and Controller. The input doesn't like having different count for values and label, apparently. The CSV looks like this:

NAME ControllerType

Site1 Pyramid
Site2 Pyramid
Site3 Dekimo
Site4 Pyramid
Site5 Pyramid
Site6 Dekimo
Site7 Dekimo
Site8 Dekimo
Site9 Pyramid
. .
. .
. .

@niketnilay
I think I may have figured it out. I wanted to preserve the respective type of controller for a given site but I only wanted the user to see their site name. So I concatenated the two together from the CSV with delimiter ";". Then I performed eval for $host$ and $controller$, with the latter using mvindex to split by the delimiter. See below. Thank you so much for your help!

<form>
  <label>Saved Search Based on Token</label>
  <fieldset>
    <input type="dropdown" token="site_controller">
      <label>Site Selection</label>
      <fieldForLabel>Site</fieldForLabel>
      <fieldForValue>Site_Controller</fieldForValue>
      <search>
        <query>| inputlookup Site_Mapping.csv | strcat Site ";" Controller Site_Controller | table Site Site_Controller</query>
        <earliest>-1s</earliest>
        <latest>now</latest>
      </search>
      <change>
        <eval token="host">$label$</eval>
        <eval token="controller">mvindex(split($value$, ";"),1)</eval>
      </change>
    </input>
  </fieldset>
  <row depends="$controller$">
    <panel>
      <title>Failure Rate Panel $controller$</title>
      <table>
        <search>
          <query>| savedsearch $controller$_Failure Rate host="$host$"
           </query>
          <earliest>-2w@w</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
      </table>
    </panel>
  </row>
</form>

@niketnilay
Thank you for the response. I think you've got me in the right direction. But the savedsearches are performed in the Panels.

I have two objectives:

(1) define two different tokens "Site" and "CONTROLLER" based on a single input. Both tokens are captured from the Site_Mapping.csv file. There are multiple sites but only two types of controllers. For example, a user selects their respective site name which has one of two different controllers.

(2) perform a savedsearch in a Dashboard Panel based on those two tokens, specifically the controller token. For example, the controller type is "Dekimo" will use: <query> | savedsearch Dekimo_Failure_Rate_Per_Day host="$host$" </query>whereas if the controller type is Pyramid will use: <query> | savedsearch Pyramid_Failure_Rate_Per_Day host="$host$" </query>

Your help is much appreciated.

Sorry - I meant to put "Site" instead of "host" in the sample code.

Have you tried above example with Panel query as

<query>| savedsearch $tokSavedSearchName$ host="$host$"</query>

Well the issue is that I need many different panels which each have a different savedsearch.
I figured out conditional panels here: https://answers.splunk.com/answers/598064/if-else-condition-for-dashboard.html

But what I need now is how to get multiple tokens from the same dropdown input.
Any ideas??

@like2splunk you can extend the concept of <change> event handler to create as may tokens as your want.

However, I am still not clear with what you want to do. Above problem stated by you can be solved by setting only one token for pulling saved search name. Other query SPL text is the same for both queries you have mentioned.

Also, will you have different searches running in the same panel, or will you have multiple panels with their own search SPL? In case you want to set tokens for multiple panels will they all run at the same time or one at a time depending on the Dropdown value selected?

Please elaborate your actual use case so that we can assist you better!

@niketnilay
I want a dashboard that has one dropdown input. Based on that input selection, multiple panels (line charts, tables, pie charts, etc.) will populate with data.
The various input options are pulled from a CSV file containing the site names.
The input should be called "Site" and the token will be $host$.
The CSV file also contains a "controller_type" for each Site; each Site has either a "Pyramid" or a "Dekimo" controller.
Each panel will then call on a unique savedsearch (e.g. Reports) based on whether the Site has Pyramid or Dekimo controller.
There are multiple savedsearches for each type of controller.
I need to be able to define two different tokens from the CSV file.

From your question seems like you needed input named CONTROLLER and as per above clarification seems like you need input called Site. Also your requirement seems different than the code shared. So just to make sure if I understood your requirement correctly, let me re-iterate:

1) You need an input Site which generates the token $host$. Is it static or dynamic based on some search (SPL)?
2) Based on $host$ value query csv file to fetch controller_type and Saved Search Name. What is the csv filename? What are the fields to be matched and returned? Can you add some sample rows for Pyramid and Dekimo?
3) Use the Saved Search Name (I dont think controller is required) in the query through token.

You are very close:
1) It is dynamic. The dropdown input options for $host$ come from a query of Site_Mapping.csv which contains all of the Site names and their respective controller types. The CSV is a simple table. The code looks like this:


<label>Site Selection</label>
<fieldForLabel>Site</fieldForLabel>
<fieldForValue>Site</fieldForValue>
<search>
<query>| inputlookup Site_Mapping.csv | table Site | eval host=Site</query>
<earliest>0</earliest>
<latest></latest>
</search>
</input>

This input will let the user select the site.

2) Based on the selected $host$ create the token $CONTROLLER$ from the same CSV file. Remember the same file contains the Site name and controller_type. NO, there is no savedsearch name in the CSV file. I call upon reports directly in the query (see below).

3) Use the token $CONTROLLER$ to choose a particular savedsearch (e.g. Report). Perhaps something like this below?? I know the "if" statement doesn't work but I'm trying to illustrate my point. In the example below "Dekimo_Failure_Rate_Per_Day" or "Pyramid_Failure_Rate_Per_day" are separate Reports that are being called by the savedsearch. Notice this is a panel whose query is dependent on the token $CONTROLLER$ which was dependent on the selected $host$. I will need to make many more panels like it that call on different Reports.

`

| if(CONTROLLER=Dekimo , savedsearch Dekimo_Failure_Rate_Per_Day)
if (CONTROLLER=Pyramid , savedsearch Pyramid_Failure_Rate_Per_day -2w@w
now

line

`

@like2splunk try the following input Dropdown code:

<input type="dropdown" token="CONTROLLER">
  <label>Site Selection</label> 
  <fieldForLabel>Site</fieldForLabel> 
  <fieldForValue>controller_type</fieldForValue> 
  <search> 
    <query>| inputlookup Site_Mapping.csv | table Site , controller_type</query> 
    <earliest>-1s</earliest> 
    <latest>now</latest> 
  </search>
  <change>
    <set token="host">$label$</set>
  </change>
</input>

Above should set two tokens once Site is selected from Dropdown i.e. $host$ which contains the Site value and $CONTROLLER$ which has controller_type value. Use these tokens in your search query and confirm!

@niketnilay
I can't get your Dropdown recommendation to work. I can having trouble with the CONDITION arguments. Can you see the other post I made?