Dashboards & Visualizations

Dashboard auto-populate returning no values, yet search does.

cnicholl
Loves-to-Learn

Attempting to populate a dropdown for a dashboard. The source is a lookup file. CSV. It does have null values in the table for this field, and also the returned data contains spaces and / in some fields.

I am using:
| inputlookup filename.csv | fields "Field Name" | dedup "Field Name"

as the Dynamic search, and the sample search for the lookup does work properly.

But when I run save the dropdown it fails to return any data.

Splunk 7.2.6

0 Karma
1 Solution

woodcock
Esteemed Legend

Spaces in field names are EVIL; I would do this:

| inputlookup filename.csv
| stats count BY "Field Name"
| sort 0 - count
| rename "Field Name" AS field_value
| eval  field_name = field_value . "(" . count . ")"

Then make sure that you specify field_name as the name to use and field_value as the value to use.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Spaces in field names are EVIL; I would do this:

| inputlookup filename.csv
| stats count BY "Field Name"
| sort 0 - count
| rename "Field Name" AS field_value
| eval  field_name = field_value . "(" . count . ")"

Then make sure that you specify field_name as the name to use and field_value as the value to use.

0 Karma

cnicholl
Loves-to-Learn

| inputlookup filename.csv
| stats count BY "Field Name"
| sort 0 - count
| rename "Field Name" AS field_value
| eval field_name = field_value . "(" count . ")"

has some eval error. I removed | eval field_name = field_value . "(" count . ")" and it seems to be working now. Go figure?

0 Karma

woodcock
Esteemed Legend

I was missing a .. I fixed my answer AND tested it; it works now. Please come back and click Accept to close the question @cnicholl.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@cnicholl,
Check whether the lookup and dashboard are in the same app context and if not, app which holds the dashboard has permissions to read lookup.
Field for value/Field for label params are configured.
Is it possible to share the drop down part of xml ?

Happy Splunking!
0 Karma

cnicholl
Loves-to-Learn
  <label>Field Filter</label>
  <fieldForLabel>fieldfilter</fieldForLabel>
  <fieldForValue>fieldfilter</fieldForValue>
  <search>
    <query>| inputlookup fielddata.csv | fields "Field Name" | dedup "Field Name" </query>
    <earliest>-7d@h</earliest>
    <latest>now</latest>
  </search>
  <choice value="*">ALL</choice>
  <default>*</default>
  <initialValue>*</initialValue>
</input>

I've tried "all time" for earliest
I verified that both the dashboard and lookup are in search and the lookup has everyone read.

Hoping this posts with the xml

0 Karma

cnicholl
Loves-to-Learn

I also adjusted the search to include returned results that did not have any spaces, or the / . Still nada

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@cnicholl,
Can you rename "Field Name" to fieldfilter or whatever fieldname you used in fieldForValue?

something similar to

   <label>Field Filter</label>
   <fieldForLabel>fieldfilter</fieldForLabel>
   <fieldForValue>fieldfilter</fieldForValue>
   <search>
     <query>| inputlookup fielddata.csv | fields "Field Name" | dedup "Field Name"|rename  "Field Name" as  fieldfilter</query>
     <earliest>-7d@h</earliest>
     <latest>now</latest>
   </search>
   <choice value="*">ALL</choice>
   <default>*</default>
   <initialValue>*</initialValue>
 </input>
Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...