Dashboards & Visualizations

Filter a dashboard table by column values

bruceclarke
Contributor

All,

I have a simple table visualization on a dashboard and I want to have the option to filter down to specific values for each column. For example, I have a column for the disk drive that data is coming from (for some machines this could be a C:, D:, E:, for others just a G:, etc) and I want to only show rows that have disk drive C:.

Right now I have a selector above the table that lists all the possible drives, sets a form input, and reissues a search for the tables content. That's annoying, since you have to wait for data to return again, even though you already know it's a subset of the data already in the table.

Does anyone know if there's a way I can filter a table like this without needing to reissue the query? Thanks!

0 Karma

kyaparla
Path Finder

Very late response, you might have figured a solution, but this is what I did for one of our use cases.

With text input with token "filtertext" and below post process search, can filter all the columns in the table.

| foreach * [eval filter=if((filter=1 OR match('<>',"(?i).$filtertext$.")),1,0)] | search filter=1 | fields - filter

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

Post-process searches

Sometimes you end up with a dashboard running searches that are similar. You can save search resources by creating a base search for the dashboard. Panels in the dashboard use a post-process search to further modify the results of a base search. The base search can be a global search for the dashboard or any other search within the dashboard.

More here.


Post-process limitations

Post-process searches have limitations.

  • If the base search is a non-transforming search, Splunk Enterprise retains only the first 10,000 events returned. The post-process search does not process events in excess of this 10,000 event limit, silently ignoring them. This results in incomplete data for the post-process search. A transforming search as the base search helps avoid this limitation.

  • If the post-processing operation takes too long, it can exceed Splunk Web client’s non-configurable timeout value of 30 seconds. This can result in a timeout due to an unresponsive splunkd daemon/service. This scenario typically happens when you use a non-transforming search as the base search.


From the docs:

Form with post-process search for inputs

You can use a post-process search to dynamically populate inputs to a form. The following example shows a form with two inputs. The drop-down list, which selects an index to search, defines the choices statically. The drop-down list to select a source type statically defines the default choice but uses a post-process search to dynamically define the other choices.

Base search for populating the source type dropdown
index=_internal | stats count by sourcetype

Post process for dropdown input
| search sourcetype=splunkd*

alt text

<form>
  <label>Post Process in Form Inputs</label>

  <!-- Global search for post process by dropdown input -->
  <!-- Search uses stats command to limit results to less than 10,000 limit -->
  <search id="searchInput">
    <query>index=_internal | stats count by sourcetype</query>
    <earliest>-60min</earliest>
    <latest>now</latest>
  </search>

  <fieldset submitButton="false">

    <!-- Select an index from two static choices -->
    <input type="dropdown" token="index_tok" searchWhenChanged="true">
      <label>Select an index to search</label>
      <choice value="_internal">Internal</choice>
      <choice value="*">All public indexes</choice>
      <default>_internal</default>
    </input>

    <!-- Dynamically populate choices -->    
    <input type="dropdown" token="sourcetype_tok" searchWhenChanged="true">
      <label>Select a source type</label>

      <!-- default choice is all sourcetypes -->
      <choice value="*">All sourcetypes</choice>
      <default>*</default>

      <!-- Post-process search to dynamically populate choices -->
      <search base="searchInput">
        <query>search sourcetype=splunkd*</query>
      </search>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>

    </input>
    <input type="time" token="time_tok" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <title>Chart</title>
        <search>
          <query>
            index=$index_tok$ sourcetype=$sourcetype_tok$ | timechart count
          </query>
          <earliest>$time_tok.earliest$</earliest>
          <latest>$time_tok.latest$</latest>
        </search>
      </chart>
    </panel>
  </row>
</form>
0 Karma

bruceclarke
Contributor

I don't think this is quite what I want.

Imagine I have a search that returns a table of restaurant information. I have a zip code input that drives the initial population of the table (e.g. get me all restaurants in that zip code). The table is then populated with a bunch of columns, two of which are "cuisine" and "average price." I want to filter down the table to only Italian cuisine and order by average price. Right now, I need to have an input that reissues the query with the "Italian" filter.

All I should need to do is have a filter on the table. Issuing a separate query is unnecessary and adds unneeded load time to the dashboard. If this functionality doesn't exist, I can file an enhancement request.

0 Karma

jasonang
New Member

Bruce, did you get this answered? I have the same question. Thanks.

0 Karma

bruceclarke
Contributor

Hi jasonang - I didn't get a response, but I did file an enhancement request. Case 303365

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...