Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboard multiple lookup filters

mwdbhyat
Builder
‎02-14-2020 02:39 AM

Hi there,

I am trying to create a dashboard with some filters..

Roughly:
3 boxes populated and filtered by a lookup or kvstore lookup

cat (car manufacturer) - for instance could be car manufacturer ( lets say i chose mercedes)
subcat (type) - petrol/diesel/electric (i choose a petrol filter)
result (cars listed assoicated with above filters) - (it lists car models from merc that are petrol)

but then maybe i wanna go back and have 2 types of filters so i would then go back to "subcat" and choose both "petrol and electric"
the result would then list both types filtered into to "result"

how can i accomplish this?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-14-2020 03:06 AM

Hi @mwdbhyat,
youhave to create three inputs in cascade, in other words:

  • the first input (car manufactures) is indipendent,
  • the second one (type) depends on first input,
  • the third one depends on both the others.

then in the panels search you put all the three inputs.
Probably for first and third inputs you can use a dropdown list, instead for the second you have to use a multichoice, something like this:

<fieldset submitButton="false">
    <input type="dropdown" token="input1">
      <label>Input1</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>index=_internal | dedup sourcetype | sort sourcetype | table sourcetype</query>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </search>
      <prefix>sourcetype="</prefix>
      <suffix>"</suffix>
    </input>
    <input type="multiselect" token="input2">
      <label>Input2</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>component</fieldForLabel>
      <fieldForValue>component</fieldForValue>
      <search>
        <query>index=_internal $input1$ | dedup component | sort component | table component</query>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </search>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>component="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
    </input>
    <input type="dropdown" token="input3">
      <label>Input1</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>field3</fieldForLabel>
      <fieldForValue>field3</fieldForValue>
      <search>
        <query>index=_internal $input1$ $input2$| dedup field3 | sort field3 | table field3</query>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </search>
      <prefix>field3="</prefix>
      <suffix>"</suffix>
    </input>
    <input type="time" token="Time">
      <label>Time</label>
      <default>
        <earliest>-1d@d</earliest>
        <latest>@d</latest>
      </default>
    </input>
  </fieldset>.

Then in the panel's searches use the three tokens.

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-14-2020 03:06 AM

Hi @mwdbhyat,
youhave to create three inputs in cascade, in other words:

  • the first input (car manufactures) is indipendent,
  • the second one (type) depends on first input,
  • the third one depends on both the others.

then in the panels search you put all the three inputs.
Probably for first and third inputs you can use a dropdown list, instead for the second you have to use a multichoice, something like this:

<fieldset submitButton="false">
    <input type="dropdown" token="input1">
      <label>Input1</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>index=_internal | dedup sourcetype | sort sourcetype | table sourcetype</query>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </search>
      <prefix>sourcetype="</prefix>
      <suffix>"</suffix>
    </input>
    <input type="multiselect" token="input2">
      <label>Input2</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>component</fieldForLabel>
      <fieldForValue>component</fieldForValue>
      <search>
        <query>index=_internal $input1$ | dedup component | sort component | table component</query>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </search>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>component="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
    </input>
    <input type="dropdown" token="input3">
      <label>Input1</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>field3</fieldForLabel>
      <fieldForValue>field3</fieldForValue>
      <search>
        <query>index=_internal $input1$ $input2$| dedup field3 | sort field3 | table field3</query>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </search>
      <prefix>field3="</prefix>
      <suffix>"</suffix>
    </input>
    <input type="time" token="Time">
      <label>Time</label>
      <default>
        <earliest>-1d@d</earliest>
        <latest>@d</latest>
      </default>
    </input>
  </fieldset>.

Then in the panel's searches use the three tokens.

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mwdbhyat
Builder
‎02-14-2020 04:14 AM

Thanks that works

0 Karma
Reply
Get Updates on the Splunk Community!