Dashboards & Visualizations

How to create a ALL option in the dropdown?

anooshac
Communicator

Hi everyone, I am facing a problem with the drop downs. I have 2 drop downs one is a group and other one is subgroup. The first drop down has a list of the group names. In the second drop down it will show the sub groups of the groups we selected from the first one. I want to include the option "All" in the second drop down. I want to pass only the values of those sub groups of respective group selected to the queries. But if i use "*" for all it is giving all the subgroups together irrespective of the group selected. Anyone knows how to solve this?

Labels (3)
Tags (2)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@anooshac 

Can you please try this XML. Just make sure you replace below search in XML with you search which should have Group and Sub_Group fields with proper value .

| makeresults 
| eval _raw="Group;Sub_Group; Url; Date
A;A1;https://community.splunk.com;31-03-2022
A;A2;https://community.splunk.com;01-04-2022
B;B1;https://community.splunk.com;31-03-2022
B;B2;https://community.splunk.com;01-04-2022" 
| multikv forceheader=1 
| table Group Sub_Group 

 

XML:

 

<form>
  <label>Group SubGroup</label>
  <search id="subgroup_search_for_values" base="subgroup_search">
    <query>| search Sub_Group="$tkn_subgroup$" | table Sub_Group | format</query>
    <done>
      <set token="condition_tkn">$result.search$</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="tkn_group" searchWhenChanged="true">
      <label>Group</label>
      <fieldForLabel>Group</fieldForLabel>
      <fieldForValue>Group</fieldForValue>
      <search>
        <query>| makeresults 
| eval _raw="Group;Sub_Group; Url; Date
A;A1;https://community.splunk.com;31-03-2022
A;A2;https://community.splunk.com;01-04-2022
B;B1;https://community.splunk.com;31-03-2022
B;B2;https://community.splunk.com;01-04-2022" 
| multikv forceheader=1 
| table Group Sub_Group 
| dedup Group</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <unset token="form.tkn_subgroup"></unset>
      </change>
      
    </input>
    <input type="dropdown" token="tkn_subgroup" searchWhenChanged="true">
      <label>Sub Group</label>
      <fieldForLabel>Sub_Group</fieldForLabel>
      <fieldForValue>Sub_Group</fieldForValue>
      <search id="subgroup_search">
        <query>
        | makeresults 
| eval _raw="Group;Sub_Group; Url; Date
A;A1;https://community.splunk.com;31-03-2022
A;A2;https://community.splunk.com;01-04-2022
B;B1;https://community.splunk.com;31-03-2022
B;B2;https://community.splunk.com;01-04-2022" 
| multikv forceheader=1 
| table Group Sub_Group 
| search Group="$tkn_group$"
| dedup Sub_Group</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        $condition_tkn$
      </html>
    </panel>
  </row>
</form>

 

Thanks
KV


If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@anooshac 

May be this example  will help you, can you please try it?

<form>
  <label>Group SubGroup</label>
  <search id="subgroup_search_for_values" base="subgroup_search">
    <query>| search subgroup="$tkn_subgroup$" | table subgroup | format</query>
    <done>
      <set token="condition_tkn">$result.search$</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="tkn_group" searchWhenChanged="true">
      <label>Group</label>
      <fieldForLabel>group</fieldForLabel>
      <fieldForValue>group</fieldForValue>
      <search>
        <query>| makeresults count=10 
| eval a=1 
| accum a 
| eval group= if(a%2==1,"group ".a,null()) 
| filldown group 
| eval subgroup = "sub".group."_".a
| rename comment as "Upto now is for sample data only" 
| table group subgroup
| dedup group</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <unset token="form.tkn_subgroup"></unset>
      </change>
      
    </input>
    <input type="dropdown" token="tkn_subgroup" searchWhenChanged="true">
      <label>Sub Group</label>
      <fieldForLabel>subgroup</fieldForLabel>
      <fieldForValue>subgroup</fieldForValue>
      <search id="subgroup_search">
        <query>| makeresults count=10 
| eval a=1 
| accum a 
| eval group= if(a%2==1,"group ".a,null()) 
| filldown group 
| eval subgroup = "sub".group."_".a
| rename comment as "Upto now is for sample data only" | search group="$tkn_group$"
| table group subgroup
| dedup subgroup</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        $condition_tkn$
      </html>
    </panel>
  </row>
</form>

 

 

Screenshot 2022-03-31 at 11.55.54 AM.png

 

Thanks
KV


If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated. 

0 Karma

anooshac
Communicator

Hi @kamlesh_vaghela , Thank you for replying.

Actually i have a source file in which group and subgroup are present. This solution you provided will automatically prepares data right? can you just help me how can i use this query for my data? My source file is csv file.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Yes @anooshac 

Please share sample data and the part of data has Group and Subgroup name, so I can help you on search design.

KV

0 Karma

anooshac
Communicator

@kamlesh_vaghela,This is how the data looks like in the csv file. It has one or two lines

Group;Sub_Group; Url ; Date

A; A1; https:...; 31-03-2022

A;A2;https.....;01-04-2022

I have many files in this format.I am trying to prepare a dashboard from these data which has drilldown for both Group  and subgroup. When i click on any of the group it should show "All" by default. Currently it is showing. But "All" is considered * but not all the subgroups of the particular group.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@anooshac 

Just confirming, did you get field extracted from csv file? Can you please confirm it by just executing below search ?

YOUR_SEARCH_FOR_CSV_EVENTS
| table _raw Group Sub_Group Url Date

 

KV

0 Karma

anooshac
Communicator

@kamlesh_vaghela,

yes.I get field extracted from csv file.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@anooshac 

Can you please try this XML. Just make sure you replace below search in XML with you search which should have Group and Sub_Group fields with proper value .

| makeresults 
| eval _raw="Group;Sub_Group; Url; Date
A;A1;https://community.splunk.com;31-03-2022
A;A2;https://community.splunk.com;01-04-2022
B;B1;https://community.splunk.com;31-03-2022
B;B2;https://community.splunk.com;01-04-2022" 
| multikv forceheader=1 
| table Group Sub_Group 

 

XML:

 

<form>
  <label>Group SubGroup</label>
  <search id="subgroup_search_for_values" base="subgroup_search">
    <query>| search Sub_Group="$tkn_subgroup$" | table Sub_Group | format</query>
    <done>
      <set token="condition_tkn">$result.search$</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="tkn_group" searchWhenChanged="true">
      <label>Group</label>
      <fieldForLabel>Group</fieldForLabel>
      <fieldForValue>Group</fieldForValue>
      <search>
        <query>| makeresults 
| eval _raw="Group;Sub_Group; Url; Date
A;A1;https://community.splunk.com;31-03-2022
A;A2;https://community.splunk.com;01-04-2022
B;B1;https://community.splunk.com;31-03-2022
B;B2;https://community.splunk.com;01-04-2022" 
| multikv forceheader=1 
| table Group Sub_Group 
| dedup Group</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <unset token="form.tkn_subgroup"></unset>
      </change>
      
    </input>
    <input type="dropdown" token="tkn_subgroup" searchWhenChanged="true">
      <label>Sub Group</label>
      <fieldForLabel>Sub_Group</fieldForLabel>
      <fieldForValue>Sub_Group</fieldForValue>
      <search id="subgroup_search">
        <query>
        | makeresults 
| eval _raw="Group;Sub_Group; Url; Date
A;A1;https://community.splunk.com;31-03-2022
A;A2;https://community.splunk.com;01-04-2022
B;B1;https://community.splunk.com;31-03-2022
B;B2;https://community.splunk.com;01-04-2022" 
| multikv forceheader=1 
| table Group Sub_Group 
| search Group="$tkn_group$"
| dedup Sub_Group</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        $condition_tkn$
      </html>
    </panel>
  </row>
</form>

 

Thanks
KV


If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma

anooshac
Communicator

Thank you so much it is working.

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...