Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Create multiple dependent dropdown Dashboard

akumarsripathi
Loves-to-Learn
‎02-06-2026 02:42 PM

Hello I need help on creating multiple dependent dropdown.

Criteria :

1.one drop down has three environments ( stage, test and prod) - each environment has three applications (s1,s2 and s3)

2. second drop down has three applications ( s1,s2 and s3) - this is dependent on environment.

3. Each application has three different indexes which should be passed based on above 2 dropdowns. 

If I select stage as first drop down then 2nd drop down should show all application and then the search should run the application with then environment selected.
 eg: I selected stage and second drop down as s1 so search query is index = s1_stage

Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-12-2026 01:09 AM

Based on the example given, I think the OP wants to adapt dropdowns to actual deployed application and environment combination dynamically.  So, I'd take a different route.  The key is the composition of index names.  I think what you want is like

  • For environment token
| tstats count by index
| rex field=index "[^_]+_(?<environment>.+)"
| stats count by environment
| fields - count​
  • for application token
| tstats count by index
| rex field=index "(?<application>[^_]+)_"
| stats count by application
| fields - count​

Here is a complete mockup dashboard:

<form version="1.1" theme="light">
  <label>multiple dependent dropdown Dashboard</label>
  <description>https://community.splunk.com/t5/Dashboards-Visualizations/Create-multiple-dependent-dropdown-Dashboard/m-p/758134#M59378</description>
  <fieldset submitButton="false">
    <input type="dropdown" token="environment_tok">
      <label>Environment</label>
      <fieldForLabel>environment</fieldForLabel>
      <fieldForValue>environment</fieldForValue>
      <search>
        <query>| makeresults
| eval environment = split("stage,test,prod", ","), application = mvappend("s1", "s2", "s3")
| mvexpand environment
| mvexpand application
| eval index = application . "_" . environment
| stats count by index
``` the above emulates
| tstats count by index ```
| rex field=index "\S+_(?&lt;environment&gt;.+)"
| stats count by environment
| fields - count</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="dropdown" token="application_tok">
      <label>Application</label>
      <fieldForLabel>application</fieldForLabel>
      <fieldForValue>application</fieldForValue>
      <search>
        <query>| makeresults
| eval environment = split("stage,test,prod", ","), application = mvappend("s1", "s2", "s3")
| mvexpand environment
| mvexpand application
| eval index = application . "_" . environment
| stats count by index
``` the above emulates
| tstats count by index ```
| rex field=index "(?&lt;application&gt;[^_]+)_"
| stats count by application
| fields - count
      </query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>This is what you put in your search</title>
      <html>
      <pre>
        index="&#36;application_tok&#36;_&#36;environment_tok&#36;"
          blah, blah
      </pre>
    </html>
    </panel>
    <panel>
      <title>This is what your search renders into</title>
      <html>
      <pre>
        index="$application_tok$_$environment_tok$"
          blah, blah
      </pre>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <title>Use this search for environment</title>
      <html>
      <pre>
| tstats count by index
| rex field=index "[^_]+_(?&lt;environment&gt;.+)"
| stats count by environment
| fields - count
      </pre>
      </html>
    </panel>
    <panel>
      <title>Use this search for application</title>
      <html>
      <pre>
| tstats count by index
| rex field=index "(?&lt;application&gt;[^_]+)_"
| stats count by application
| fields - count
      </pre>
      </html>
    </panel>
  </row>
</form>

This way, no matter what combination of deployment is, the dropdowns always have the correct elements.

multiple-dependent dropdowns 2026-02-12 at 12.57.18 AM.png

Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-08-2026 01:55 AM

Hi @akumarsripathi ,

the easiest way is to crete a lookup containing the associtions between environments, applications and indexes, es:

env   app   index
stage s1    index1
stage s1    index2
stage s1    index3
stage s2    index1
stage s2    index2
stage s2    index3
stage s3    index1
stage s3    index2
stage s3    index3
test  s1    index1
test  s1    index2
test  s1    index3
test  s2    index1
test  s2    index2
test  s2    index3
test  s3    index1
test  s3    index2
test  s3    index3
prod  s1    index1
prod  s1    index2
prod  s1    index3
prod  s2    index1
prod  s2    index2
prod  s2    index3
prod  s3    index1
prod  s3    index2
prod  s3    index3

then you can create the three dropdowns using the token of the previous dorpdown:

<input type="dropdown" token="env" searchWhenChanged="true">
    <label>Select an environment:</label>
    <prefix>env="</prefix>
    <suffix>"</suffix>
    <default>*</default>
    <choice value="*">All</choice>
    <fieldForLabel>env</fieldForLabel>
    <fieldForValue>env</fieldForValue>
    <search>
        <query>| inputlookup my_lookup.csv | dedup env | table env</query>
        <earliest>-24h</earliest>
        <latest>now</latest>
    </search>
</input>
<input type="dropdown" token="app" searchWhenChanged="true">
     <label>Select an app:</label>
     <prefix>app="</prefix>
     <suffix>"</suffix>
     <default>*</default>
     <choice value="*">All</choice>
     <fieldForLabel>app</fieldForLabel>
     <fieldForValue>app</fieldForValue>
     <search>
         <query>| inputlookup my_lookup.csv WHERE $env$ | dedup app | table app</query>
         <earliest>-24h</earliest>
         <latest>now</latest>
     </search>
</input>
<input type="dropdown" token="index" searchWhenChanged="true">
     <label>Select an index:</label>
     <prefix>index="</prefix>
     <suffix>"</suffix>
     <default>*</default>
     <choice value="*">All</choice>
     <fieldForLabel>index</fieldForLabel>
     <fieldForValue>index</fieldForValue>
     <search>
         <query>| inputlookup my_lookup.csv | WHERE $env$ AND $app$ | dedup index | table index</query>
         <earliest>-24h</earliest>
         <latest>now</latest>
     </search>
</input>

Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-07-2026 02:05 AM

Where are these dependencies defined?

Assuming that they are in some sort of lookup, you can use the change handler of the first dropdown to set a token which is used in the search to setup the second dropdown. You can then use the change handler of the second dropdown to select the appropriate index.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...