Hi All,
I have lookup file with 2 columns, Col1 and SPL_Qry.
Each value in col1 will have associated Splunk query.
In Dashboard, if I select ant value from the Drop Down, associated Query should run and show me the result in Slunk Dashboard.
Please advise
Example:
LookupFile.csv
Column 1 | SPL_Query |
value1 | Qry_Related_to_Value1 |
value2 | Qry_Related_to_Value2 |
value3 | Qry_Related_to_Value3 |
value4 | Qry_Related_to_Value4 |
Try something like this
<form version="1.1">
<label>City Dashboard</label>
<fieldset submitButton="false">
<input type="dropdown" token="state_filter">
<label>Select State</label>
<fieldForLabel>State</fieldForLabel>
<fieldForValue>State</fieldForValue>
<search>
<query> |inputlookup lookupfile.csv</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<change>
<unset token="form.city_filter"/>
</change>
</input>
<input type="dropdown" token="city_filter">
<label>Select City</label>
<fieldForLabel>City</fieldForLabel>
<fieldForValue>SPL_Query</fieldForValue>
<search>
<query> |inputlookup lookupfile.csv | search State="$state_filter$"</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<table>
<title></title>
<search>
<query>$city_filter$</query>
</search>
</table>
</panel>
</row>
</form>
I tried the below
<input type="dropdown" token="lookupquery">
<label>Select query</label>
<fieldForLabel>Column 1</fieldForLabel>
<fieldForValue>SPL_Query</fieldForValue>
<search>
<query>| inputlookup LookupFile.csv | search column1="$col1_token$"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
Then , as you mentioned, done with setting up panel
<row>
<panel>
<table>
<title></title>
<search>
<query>$SPL_Query$</query>
</search>
</table>
</panel>
</row>
New panel has been created, after choosing the dropdown the panel showing "Search is waiting for input".
How can I run the query after choosing the value from dropdown?
Also I verified the the newly created panel query by clicking the search icon, it contain the $SPL_Query$. Is this expected?
Please advise
Try doing it the way I suggested rather than adding your own interpretation?
Thanks @ITWhisperer
Your solution works! Great!!
Actually my full requirement is like below
State | City | SPL_Query |
State1 | City1 | SPL_Qry_for_City1 |
State1 | City2 | SPL_Qry_for_City2 |
State2 | City3 | SPL_Qry_for_City3 |
State2 | City4 | SPL_Qry_for_City4 |
State2 | City5 | SPL_Qry_for_City5 |
State3 | City6 | SPL_Qry_for_City6 |
1. If I select, State1 from the first Dropdown only City1 and City2 should be selected in the second dropdown.
I have achieve it.
2. When I am selecting any City from the second drop down, only the related query should run and will give a result.
Based on your suggestion, I have achieve it.
Now the issue what I am facing is, when I try to change the first dropdown, say from State1 to State2, now in my second Dropdown it is showing the previously selected Cities query (the raw query is showing in dropdown2).
How can I clear the value in Dropdown2 (City) each time when I am changing the the value from Dropdown1 (State).
Please advise
Add a change handler to your state dropdown which unsets the form.city token
(There are basically two tokens form.tokenname and tokenname - the form.tokenname is the token which represents the value input by the user in the input widget and tokenname which represents the output of the input widget.)
Sorry, I am very new to Splunk.
It would be really helpful if you share me the XML or steps like you provided before, please.
OK share what you currently have
Sure,
Please find below
<form version="1.1">
<label>City Dashboard</label>
<fieldset submitButton="false">
<input type="dropdown" token="state_filter">
<label>Select State</label>
<fieldForLabel>State</fieldForLabel>
<fieldForValue>State</fieldForValue>
<search>
<query> |inputlookup lookupfile.csv</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
</input>
<input type="dropdown" token="city_filter">
<label>Select City</label>
<fieldForLabel>City</fieldForLabel>
<fieldForValue>SPL_Query</fieldForValue>
<search>
<query> |inputlookup lookupfile.csv | search State="$state_filter$"</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<table>
<title></title>
<search>
<query>$SPL_Query$</query>
</search>
</table>
</panel>
</row>
</form>
Try something like this
<form version="1.1">
<label>City Dashboard</label>
<fieldset submitButton="false">
<input type="dropdown" token="state_filter">
<label>Select State</label>
<fieldForLabel>State</fieldForLabel>
<fieldForValue>State</fieldForValue>
<search>
<query> |inputlookup lookupfile.csv</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<change>
<unset token="form.city_filter"/>
</change>
</input>
<input type="dropdown" token="city_filter">
<label>Select City</label>
<fieldForLabel>City</fieldForLabel>
<fieldForValue>SPL_Query</fieldForValue>
<search>
<query> |inputlookup lookupfile.csv | search State="$state_filter$"</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<table>
<title></title>
<search>
<query>$city_filter$</query>
</search>
</table>
</panel>
</row>
</form>
@ITWhisperer One Last question, please
Currently I am running the SPL_Query with the static date, I have added "Time" from the "Add Input", how I will pass this date and time range to the SPL_Query.
If you mean using a time input, then use a time picker
<input type="time" token="timepicker" searchWhenChanged="true">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
Then set earliest and latest in your panel to $timepicker.earliest$ and $timepicker.latest$ respectively.
Actually I need to have Time Input along with State and City Drop Down.
Currently the SPL_query query is running for the static time period.
Now I need to run for the chosen date and time range based on the "Time Input"
Please share me the completed XML where I need to add the time related XML.
I also tried to change the time range in the query panel search button by selecting the "Time Range" from "Global" to "Shared Time Picker" but it didnt work.
Super 🙂
Great, it works as expected !
Thank you very , much !!
Thanks for your reply @ITWhisperer,
Yes, I am using lookup file and using the inputlookup command to get the SPL_Query for the particular value. But the SPL which I am getting just display the whole query (raw query), its not running or showing the value for that particular SPL.
I have used the below SPL
| inputlookup LookupFile.csv
| search Column="$Col1_token$"
| search SPL_Query
Kindly advise me with the Splunk Query to execute the SPl and get the result.
<input type="dropdown" token="lookupquery">
<label>Select query</label>
<fieldForLabel>Column 1</fieldForLabel>
<fieldForValue>SPL_Query</fieldForValue>
<search>
<query>| inputlookup LookupFile.csv</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
Then set up your panel something like this
<row>
<panel>
<table>
<title></title>
<search>
<query>$lookupquery$</query>
</search>
</table>
</panel>
</row>
You could try setting up your dropdown query to load the values from the lookup file using the inputlookup command. Then you could set up the search for the dashboard panel to simply be the value of the token from the dropdown