Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add lookup values as filter in dashboard and filter dashboard data

koreamit3483
Explorer
‎12-09-2021 03:59 AM

I have data receiving through forwarder which has SERVER_NAME with other details and i have another lookup created adding a csv file which holds data as SERVER_NAME, OWNER and REGION.

my current dashboard have a filter using SERVER_NAME coming from forwarder and now i need to create filter in dashboard of OWNER and REGION, which are from lookup and not from the data from forwarder.

I created the filter for OWNER and REGION and created tokens for them as "$owner_t$" and "$region_t$" which i am using in dashboard data as 

| index = XXX  OWNER="$owner_t$" and REGION="$region_t$"

when i select these tokens the data on dashboard is not getting filtered and shows as "No results found"

Can some one guide me where i am going wrong.

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-09-2021 04:08 AM

Hi @koreamit3483,

you have two ways:

  • to use these tokens after the lookup command,
  • create au automatic lookup.

In the first case, you have to create two dropdowns using the lookup:

| inputlookup your_lookup.csv | dedup OWNER | fields OWNER

and

| inputlookup your_lookup.csv | dedup REGION | fields REGION

then put in your search after the lookup command:

index = XXX  
| lookup your_lookup.csv SERVER_NAME OUTPUT OWNER REGION
| search OWNER="$owner_t$" and REGION="$region_t$"
| table ...

For the second way, you could follow the instructions at https://docs.splunk.com/Documentation/Splunk/8.2.3/Knowledge/DefineanautomaticlookupinSplunkWeb

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-09-2021 04:08 AM

Hi @koreamit3483,

you have two ways:

  • to use these tokens after the lookup command,
  • create au automatic lookup.

In the first case, you have to create two dropdowns using the lookup:

| inputlookup your_lookup.csv | dedup OWNER | fields OWNER

and

| inputlookup your_lookup.csv | dedup REGION | fields REGION

then put in your search after the lookup command:

index = XXX  
| lookup your_lookup.csv SERVER_NAME OUTPUT OWNER REGION
| search OWNER="$owner_t$" and REGION="$region_t$"
| table ...

For the second way, you could follow the instructions at https://docs.splunk.com/Documentation/Splunk/8.2.3/Knowledge/DefineanautomaticlookupinSplunkWeb

Ciao.

Giuseppe

Reply
Solved! Jump to solution

koreamit3483
Explorer
‎12-09-2021 05:23 AM

@gcusello 

This is exactly what i was looking for and have resolved my query.

Thank you so much..

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...