Drilldown into a multiselect input

nsantiago17 · ‎08-12-2019

Hi everyone,

I have a drilldown with the following values: "Fin", "Gar", "Mid", "Risc" and "Nuc" and when I select Fin (for example), the multiselect must show the following options: "LNR", "MTF" and "SLF", when you select "Gar", the multiselect must show 3 others options and so it goes.

Thanks in advance.

Kawtar · ‎08-19-2019

Hello,

this is working example:

Multiselect Drilldown

@d
now

Source Type
Show All
Show All

index=_internal | stats count by sourcetype
$dt.earliest$
$dt.latest$

sourcetype
sourcetype
(
)
sourcetype=
OR

Source Types

index=your_index | search $sourcetypes$

$dt.earliest$
$dt.latest$

10
none
row
false
true
["sourcetype","count"]

niketn · ‎08-13-2019

@nsantiago17 where is the drilldown coming from? Also from where will you get the correlation like FIN --> LNR, MTF, SLF etc? Can you add what is the code you currently have and what is not working for you?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

nsantiago17 · ‎08-13-2019

The drilldown comes from a table, I'm using the lookup command to load them to the search and the FIN is the index, the LNR, MTF and SLF are the values below the index.

FIN | GAR | ....

LNR ABC ....
MTF ACB ....
SLF BAC ....

woodcock · ‎08-13-2019

You are going to have to be more descriptive and clear. For example, your last sentence is the exact opposite of the description above it. It makes no sense.

nsantiago17 · ‎08-13-2019

Thanks for the advice, I've edited the question.

woodcock · ‎08-19-2019

I am even more confused than before. Are you sure you said it the way that you meant it?

Drilldown into a multiselect input

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Splunk and Fraud

Build Your First SPL2 App!