Dashboards & Visualizations

Executing a Splunk Search from lookup file?

Raj55555
Engager

Hi All,

I have lookup file with 2 columns, Col1 and SPL_Qry.

Each value in col1 will have associated Splunk query.

In Dashboard, if I select ant value from the Drop Down, associated Query should run and show me the result in Slunk Dashboard.

Please advise

Example:

LookupFile.csv

Column 1 SPL_Query
value1 Qry_Related_to_Value1
value2 Qry_Related_to_Value2
value3 Qry_Related_to_Value3
value4 Qry_Related_to_Value4

 

Labels (5)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

<form version="1.1">
<label>City Dashboard</label>
<fieldset submitButton="false">

<input type="dropdown" token="state_filter">
<label>Select State</label>
<fieldForLabel>State</fieldForLabel>
<fieldForValue>State</fieldForValue>
<search>
<query> |inputlookup lookupfile.csv</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<change>
<unset token="form.city_filter"/>
</change>
</input>

<input type="dropdown" token="city_filter">
<label>Select City</label>
<fieldForLabel>City</fieldForLabel>
<fieldForValue>SPL_Query</fieldForValue>
<search>
<query> |inputlookup lookupfile.csv | search State="$state_filter$"</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
</input>

</fieldset>

<row>
<panel>
<table>
<title></title>
<search>
<query>$city_filter$</query>
</search>
</table>
</panel>
</row>

</form>

View solution in original post

0 Karma

Raj55555
Engager

@ITWhisperer 

I tried the below

<input type="dropdown" token="lookupquery">
<label>Select query</label>
<fieldForLabel>Column 1</fieldForLabel>
<fieldForValue>SPL_Query</fieldForValue>
<search>
<query>| inputlookup LookupFile.csv | search column1="$col1_token$"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>

Then , as you mentioned, done with setting up panel

<row>
<panel>
<table>
<title></title>
<search>
<query>$SPL_Query$</query>
</search>
</table>
</panel>
</row>

 

New panel has been created, after choosing the dropdown the panel showing "Search is waiting for input".

How can I run the query after choosing the value from dropdown?

Also I verified the the newly created panel query by clicking the search icon, it contain the $SPL_Query$. Is this expected?

Please advise

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try doing it the way I suggested rather than adding your own interpretation?

0 Karma

Raj55555
Engager

Thanks @ITWhisperer 

Your solution works! Great!!

Actually my full requirement is like below

StateCitySPL_Query
State1City1SPL_Qry_for_City1
State1City2SPL_Qry_for_City2
State2City3SPL_Qry_for_City3
State2City4SPL_Qry_for_City4
State2City5SPL_Qry_for_City5
State3City6SPL_Qry_for_City6

 

1. If I select, State1 from the first Dropdown only City1 and City2 should be selected in the second dropdown.

I have achieve it.

2. When I am selecting any City from the second drop down, only the related query should run and will give a result.

Based on your suggestion, I have achieve it.

 

Now the issue what I am facing is, when I try to change the first dropdown, say from State1 to State2, now in my second Dropdown it is showing the previously selected Cities query (the raw query is showing in dropdown2).

 

How can I clear the value in Dropdown2 (City) each time when I am changing the  the value from Dropdown1 (State).

 

Please advise

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Add a change handler to your state dropdown which unsets the form.city token

(There are basically two tokens form.tokenname and tokenname - the form.tokenname is the token which represents the value input by the user in the input widget and tokenname which represents the output of the input widget.)

0 Karma

Raj55555
Engager

Sorry, I am very new to Splunk.

It would be really helpful if you share me the XML or steps like you provided before, please.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK share what you currently have

0 Karma

Raj55555
Engager

Sure, 

Please find below

<form version="1.1">
<label>City Dashboard</label>
<fieldset submitButton="false">

<input type="dropdown" token="state_filter">
<label>Select State</label>
<fieldForLabel>State</fieldForLabel>
<fieldForValue>State</fieldForValue>
<search>
<query> |inputlookup lookupfile.csv</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
</input>

<input type="dropdown" token="city_filter">
<label>Select City</label>
<fieldForLabel>City</fieldForLabel>
<fieldForValue>SPL_Query</fieldForValue>
<search>
<query> |inputlookup lookupfile.csv | search State="$state_filter$"</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
</input>

</fieldset>

<row>
<panel>
<table>
<title></title>
<search>
<query>$SPL_Query$</query>
</search>
</table>
</panel>
</row>

</form>

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

<form version="1.1">
<label>City Dashboard</label>
<fieldset submitButton="false">

<input type="dropdown" token="state_filter">
<label>Select State</label>
<fieldForLabel>State</fieldForLabel>
<fieldForValue>State</fieldForValue>
<search>
<query> |inputlookup lookupfile.csv</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<change>
<unset token="form.city_filter"/>
</change>
</input>

<input type="dropdown" token="city_filter">
<label>Select City</label>
<fieldForLabel>City</fieldForLabel>
<fieldForValue>SPL_Query</fieldForValue>
<search>
<query> |inputlookup lookupfile.csv | search State="$state_filter$"</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
</input>

</fieldset>

<row>
<panel>
<table>
<title></title>
<search>
<query>$city_filter$</query>
</search>
</table>
</panel>
</row>

</form>
0 Karma

Raj55555
Engager

@ITWhisperer  One Last question, please

Currently I am running the SPL_Query with the static date, I have added "Time" from the "Add Input", how I will pass this date and time range to the SPL_Query.

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If you mean using a time input, then use a time picker

    <input type="time" token="timepicker" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>

Then set earliest and latest in your panel to $timepicker.earliest$ and $timepicker.latest$ respectively.

0 Karma

Raj55555
Engager

@ITWhisperer 

Actually I need to have Time Input along with State and City Drop Down.

Currently the SPL_query query is running for the static time period.

Now I need to run for the chosen date and time range based on the "Time Input"

 

Please share me the completed XML where I need to add the time related XML.

I also tried to change the time range in the query panel search button by selecting the "Time Range" from "Global" to "Shared Time Picker" but it didnt work.

0 Karma

Raj55555
Engager

Super 🙂

Great, it works as expected !

Thank you very , much !!

0 Karma

Raj55555
Engager

Thanks for your reply @ITWhisperer,

Yes, I am using  lookup file and using the inputlookup command to get the SPL_Query for the particular value. But the SPL which I am getting just display the whole query (raw query), its not running or showing the value for that particular SPL.

 

I have used the below SPL

| inputlookup LookupFile.csv

| search Column="$Col1_token$"

| search SPL_Query

 

Kindly advise me with the Splunk Query to execute the SPl and get the result.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
    <input type="dropdown" token="lookupquery">
      <label>Select query</label>
      <fieldForLabel>Column 1</fieldForLabel>
      <fieldForValue>SPL_Query</fieldForValue>
      <search>
        <query>| inputlookup LookupFile.csv</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>

Then set up your panel something like this

  <row>
    <panel>
      <table>
        <title></title>
        <search>
          <query>$lookupquery$</query>
        </search>
      </table>
    </panel>
  </row>
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could try setting up your dropdown query to load the values from the lookup file using the inputlookup command. Then you could set up the search for the dashboard panel to simply be the value of the token from the dropdown

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...