Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Dashboard multiple lookup filters
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,
I am trying to create a dashboard with some filters..
Roughly:
3 boxes populated and filtered by a lookup or kvstore lookup
cat (car manufacturer) - for instance could be car manufacturer ( lets say i chose mercedes)
subcat (type) - petrol/diesel/electric (i choose a petrol filter)
result (cars listed assoicated with above filters) - (it lists car models from merc that are petrol)
but then maybe i wanna go back and have 2 types of filters so i would then go back to "subcat" and choose both "petrol and electric"
the result would then list both types filtered into to "result"
how can i accomplish this?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mwdbhyat,
youhave to create three inputs in cascade, in other words:
- the first input (car manufactures) is indipendent,
- the second one (type) depends on first input,
- the third one depends on both the others.
then in the panels search you put all the three inputs.
Probably for first and third inputs you can use a dropdown list, instead for the second you have to use a multichoice, something like this:
<fieldset submitButton="false">
<input type="dropdown" token="input1">
<label>Input1</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>sourcetype</fieldForLabel>
<fieldForValue>sourcetype</fieldForValue>
<search>
<query>index=_internal | dedup sourcetype | sort sourcetype | table sourcetype</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
<prefix>sourcetype="</prefix>
<suffix>"</suffix>
</input>
<input type="multiselect" token="input2">
<label>Input2</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>component</fieldForLabel>
<fieldForValue>component</fieldForValue>
<search>
<query>index=_internal $input1$ | dedup component | sort component | table component</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>component="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
</input>
<input type="dropdown" token="input3">
<label>Input1</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>field3</fieldForLabel>
<fieldForValue>field3</fieldForValue>
<search>
<query>index=_internal $input1$ $input2$| dedup field3 | sort field3 | table field3</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
<prefix>field3="</prefix>
<suffix>"</suffix>
</input>
<input type="time" token="Time">
<label>Time</label>
<default>
<earliest>-1d@d</earliest>
<latest>@d</latest>
</default>
</input>
</fieldset>.
Then in the panel's searches use the three tokens.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mwdbhyat,
youhave to create three inputs in cascade, in other words:
- the first input (car manufactures) is indipendent,
- the second one (type) depends on first input,
- the third one depends on both the others.
then in the panels search you put all the three inputs.
Probably for first and third inputs you can use a dropdown list, instead for the second you have to use a multichoice, something like this:
<fieldset submitButton="false">
<input type="dropdown" token="input1">
<label>Input1</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>sourcetype</fieldForLabel>
<fieldForValue>sourcetype</fieldForValue>
<search>
<query>index=_internal | dedup sourcetype | sort sourcetype | table sourcetype</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
<prefix>sourcetype="</prefix>
<suffix>"</suffix>
</input>
<input type="multiselect" token="input2">
<label>Input2</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>component</fieldForLabel>
<fieldForValue>component</fieldForValue>
<search>
<query>index=_internal $input1$ | dedup component | sort component | table component</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>component="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
</input>
<input type="dropdown" token="input3">
<label>Input1</label>
<choice value="*">All</choice>
<default>*</default>
<fieldForLabel>field3</fieldForLabel>
<fieldForValue>field3</fieldForValue>
<search>
<query>index=_internal $input1$ $input2$| dedup field3 | sort field3 | table field3</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
<prefix>field3="</prefix>
<suffix>"</suffix>
</input>
<input type="time" token="Time">
<label>Time</label>
<default>
<earliest>-1d@d</earliest>
<latest>@d</latest>
</default>
</input>
</fieldset>.
Then in the panel's searches use the three tokens.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks that works
Splunk Search APIを使えば調査過程が残せます
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Congratulations to the 2025-2026 SplunkTrust!
