Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add lookup values as filter in dashboard and filter dashboard data

koreamit3483
Explorer
‎12-09-2021 03:59 AM

I have data receiving through forwarder which has SERVER_NAME with other details and i have another lookup created adding a csv file which holds data as SERVER_NAME, OWNER and REGION.

my current dashboard have a filter using SERVER_NAME coming from forwarder and now i need to create filter in dashboard of OWNER and REGION, which are from lookup and not from the data from forwarder.

I created the filter for OWNER and REGION and created tokens for them as "$owner_t$" and "$region_t$" which i am using in dashboard data as 

| index = XXX  OWNER="$owner_t$" and REGION="$region_t$"

when i select these tokens the data on dashboard is not getting filtered and shows as "No results found"

Can some one guide me where i am going wrong.

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-09-2021 04:08 AM

Hi @koreamit3483,

you have two ways:

  • to use these tokens after the lookup command,
  • create au automatic lookup.

In the first case, you have to create two dropdowns using the lookup:

| inputlookup your_lookup.csv | dedup OWNER | fields OWNER

and

| inputlookup your_lookup.csv | dedup REGION | fields REGION

then put in your search after the lookup command:

index = XXX  
| lookup your_lookup.csv SERVER_NAME OUTPUT OWNER REGION
| search OWNER="$owner_t$" and REGION="$region_t$"
| table ...

For the second way, you could follow the instructions at https://docs.splunk.com/Documentation/Splunk/8.2.3/Knowledge/DefineanautomaticlookupinSplunkWeb

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-09-2021 04:08 AM

Hi @koreamit3483,

you have two ways:

  • to use these tokens after the lookup command,
  • create au automatic lookup.

In the first case, you have to create two dropdowns using the lookup:

| inputlookup your_lookup.csv | dedup OWNER | fields OWNER

and

| inputlookup your_lookup.csv | dedup REGION | fields REGION

then put in your search after the lookup command:

index = XXX  
| lookup your_lookup.csv SERVER_NAME OUTPUT OWNER REGION
| search OWNER="$owner_t$" and REGION="$region_t$"
| table ...

For the second way, you could follow the instructions at https://docs.splunk.com/Documentation/Splunk/8.2.3/Knowledge/DefineanautomaticlookupinSplunkWeb

Ciao.

Giuseppe

Reply
Solved! Jump to solution

koreamit3483
Explorer
‎12-09-2021 05:23 AM

@gcusello 

This is exactly what i was looking for and have resolved my query.

Thank you so much..

0 Karma
Reply
Get Updates on the Splunk Community!

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

Splunk New Course Releases for a Changing World

Every day, the world feels like it’s moving faster with new technological breakthroughs, AI innovation, and ...