Hi Everyone,

I have one requirement as below:

I have one dashboard which consists of drop down and panels.

I have one drop down as "Teams" whose code is as below:

<input type="multiselect" token="teams" searchWhenChanged="true">
<label>Teams</label>
<choice value="All">All Teams</choice>
<choice value="BLAZE">BLAZE</choice>
<choice value="Oneforce">Oneforce</choice>
<fieldForLabel>Teams</fieldForLabel>
<prefix>(</prefix>
<valuePrefix>Teams ="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<suffix>)</suffix>
<initialValue>All</initialValue>
<default>All</default>
<change>
<eval token="form.teams">case(mvcount('form.teams')=0,"All",mvcount('form.teams')&gt;1 AND mvfind('form.teams',"All")&gt;0,"All",mvcount('form.teams')&gt;1 AND mvfind('form.teams',"All")=0,mvfilter('form.teams'!="All"),1==1,'form.teams')</eval>
<eval token="BLAZE">if(isnull(mvfind('form.teams',"BLAZE")),mvfind('form.teams',"All"),1)</eval>
<eval token="Oneforce">if(isnull(mvfind('form.teams',"Oneforce")),mvfind('form.teams',"All"),1)</eval>
<eval token="org_choice">if(mvfind('form.teams',"All")=0,$teams$)</eval>
</change>
</input>

I have one panel which is showing multiple fields including parent chain and parent chain is coming from inputlookup.

parent_chain

MAIN-->root-->BLAZE - E1-->Blaz Transformation - Data

MAIN-->root-->BLAZE - E3

MAIN-->root-->Oneforce-->FXIP

Below is the code of the panel. The parent chain is coming from inputlookup chains.csv .

what I want is when I select "BLAZE" from the teams drop-down all the parent chain which consists of 3rd word as "BLAZE" should be shown .Basically the parent chain which include the word as "BLAZE" should come. Like below:

MAIN-->root-->BLAZE - E1-->Blaz Transformation - Data

MAIN-->root-->BLAZE - E3

when I select the word "Oneforce" from teams drop-down all the parent chain which consists of word "Oneforce" should come like this:

MAIN-->root-->Oneforce-->FXIP

MAIN-->root-->Oneforce-->Support_Tools

And when I select "All Teams" It should show all the parent chains .

I have passed the tokens as $BLAZE$ OR $Oneforce$ in query but still result is not filtering.

When I am selecting "BLAZE" from Teams dropdown its still showing all the parent chains and when I am selecting "Oneforce" from Teams dropdown its still showing all the parent chains .

Below is the code for it for the panel. I have highlighted the tokens which I have passed and also the lookup(inputlookup chains.csv) from where parentchain is coming.

<row>
<table>
<search>
<query>index=abc sourcetype=xyz source="/user.log" process-groups $BLAZE$ OR $Oneforce$|rename count as "Request Counts" |rex field=Request_URL "(?&lt;id&gt;[A-Za-z0-9]{8}[\-][A-Za-z0-9]{4}[\-][A-Za-z0-9]{4}[\-][A-Za-z0-9]{4}[\-][A-Za-z0-9]{12})"|stats count by Date ADS_Id Request_Type id ClickHere Request_URL|sort - ADS_Id |join type=outer id [inputlookup chains.csv]</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<fields>"Date", "ADS_Id","Request_Type", "Request_URL", "id", "parent_chain"</fields>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</row>

Can someone please guide me on this.

Thanks in advance.