Dashboards & Visualizations

How do I make a dropdown dynamic based on a feed/search.

HattrickNZ
Motivator

How do I write this so that it is dynamic based on the search that is done. That is the search will populate my choices based on the data that is available. So if threre is only subrack 0,1 and 2 then the dropdown would have All, 0, 1, 2. But then if threre is only subrack 0, and 1 then the dropdown would have All, 0, 1. This would make the dropdown more dynamic controlled by the search.

 <input type="dropdown" token="subrack_No">
    <label>subrack_No:</label>
    <choice value="*">All</choice>
    <choice value="0">0</choice>
    <choice value="1">1</choice>
    <choice value="2">2</choice>
    <choice value="3">3</choice>
    <choice value="4">4</choice>
    <default>*</default>
  </input>

example of a search :

index=core ..... | stats values(subrack_No)

Tags (1)
1 Solution

stephanefotso
Motivator

Here you go

<input type="dropdown" token="subrack_No">
 <label>subrack_No:</label>
      <choice value="*">All</choice>
      <populatingSearch fieldForLabel="subrack_No" fieldForValue="subrack_No"> index=core ..... | stats count by subrack_No </populatingSearch>
      <default>*</default>
    </input>

Or this, only with splunk 6.2 and more

      <input type="dropdown" token="subrack_No">
  <label>subrack_No:</label>
          <choice value="*">All</choice>
          <search>
            <query> index=core ..... | stats count by subrack_No</query>
          </search>
          <default>*</default>
          <fieldForLabel>subrack_No</fieldForLabel>
          <fieldForValue>subrack_No</fieldForValue>
        </input>
SGF

View solution in original post

_jgpm_
Communicator

I did something very similar to this but my concept was based on 2 dropdowns. The first one does a

|inputcsv foo.csv

and then the user selects the value where the fieldlabel/fieldvalue gets assigned to the token $test

the next dropdown does

|inputcsv foo2.csv | search tag="$test$"

which then filters down foo2.csv to only show the tags related to the value selected in the dropdown. The selection sets the token $Choice. This works fine.

I wasn't able to make a third dropdown work.

0 Karma

stephanefotso
Motivator

Here you go

<input type="dropdown" token="subrack_No">
 <label>subrack_No:</label>
      <choice value="*">All</choice>
      <populatingSearch fieldForLabel="subrack_No" fieldForValue="subrack_No"> index=core ..... | stats count by subrack_No </populatingSearch>
      <default>*</default>
    </input>

Or this, only with splunk 6.2 and more

      <input type="dropdown" token="subrack_No">
  <label>subrack_No:</label>
          <choice value="*">All</choice>
          <search>
            <query> index=core ..... | stats count by subrack_No</query>
          </search>
          <default>*</default>
          <fieldForLabel>subrack_No</fieldForLabel>
          <fieldForValue>subrack_No</fieldForValue>
        </input>
SGF

HattrickNZ
Motivator

index=core ...| stats count by subrackNo this search gives me a 2 column result, subrackNo and count.

so when I put this search in the dropdown when the dashboard loads, the dropdown does not fill, under the dropdown it says

> Duplicate labels causing conflict

For clarification as I may not have been clear: the field that has the values I want to fill the dropdown is called subrackNo and not subrack_No, if that makes a difference. this is why my search in the dropdown should look like index=core ...| stats count by subrackNo

I also tried using
index=core ...| stats values(subrackNo) to fill the dropdown but it does not fill it.

0 Karma

stephanefotso
Motivator

Ok! Means also your field for Label and Field for Value must be modified! Here you go

    &lt;input type="dropdown" token="subrack_No"&gt;
   &lt;label&gt;subrack_No:&lt;/label&gt;
           &lt;choice value="*"&gt;All&lt;/choice&gt;
           &lt;search&gt;
             &lt;query&gt; index=core ..... | stats count by subrackNo&lt;/query&gt;
           &lt;/search&gt;
           &lt;default&gt;*&lt;/default&gt;
           &lt;fieldForLabel&gt;subrackNo&lt;/fieldForLabel&gt;
           &lt;fieldForValue&gt;subrackNo&lt;/fieldForValue&gt;
         &lt;/input&gt;
SGF
0 Karma

HattrickNZ
Motivator

ah thanks the field name goes in here

<fieldForLabel>subrackNo</fieldForLabel>
<fieldForValue>subrackNo</fieldForValue>

I thought it should be the token name.

0 Karma

HattrickNZ
Motivator

Interesting how this gives only 1 value in the dropdown of somwthing like, 0,1,2,3
index=core ... | stats values(subrackNo) as subrackNo

0 Karma

stephanefotso
Motivator

you have several ways to do it, depend on you

index=core ... | stats values(subrackNo) as subrackNo|head 1

index=core ... | stats first(subrackNo) as subrackNo

index=core ... | stats values(subrackNo) as subrackNo|where subrakNo=1

etc...

SGF
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...