Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a dashboard with a drop-down form where users can select fields from a CSV file to filter search results on indexed events?

splgeek
Explorer
‎11-22-2016 11:07 AM

I have logs that have information like the following

BROWSER_TYPE
USER_NAME
IP Address

I have a CSV file that I have uploaded, given Global permission.

That CSV file contains:

FIRST_NAME  LAST_NAME   FULL_NAME   USER_ID USERNAME    EMAIL   WORKDOTCOM_USER User.Employee_Type__c   User.Group__c   DIVISION    DEPARTMENT  User.Business_Unit__c   User.Country__c PROFILE CREATED_DATE    LAST_UPDATE LAST_LOGIN

What I want to add to my Dashboard:
In My dashboard, I want to add drop-down form so user can select DIVISION, DEPARTMENT from the csv and filter data accordingly

0 Karma
Reply

sundareshr
Legend
‎11-22-2016 11:20 AM

First, create two dropdown. 1 with token="div" second with token="dept". The queries for the two should be

<input type="dropdown" token="div">
<search><query>| inputlookup csvfile.csv | fields DIVISION | dedup DIVISION | sort DIVISION</query></search>
...
</input>

<input type="dropdown" token="dept">
<search><query>| inputlookup csvfile.csv | where DIVISION=$div$ | dedup dept | field dept | sort dept</query></search>
...
</input>

Then, add a table

  <table>
    <search>
      <query>index=foo sourcetype=bar | lookup csvfile.csv USERNAME AS  USER_NAME OUTPUT DIVISION DEPARTMENT  | where DEPARTMENT=$dept$ AND DIVISION=$div$ | table <<list of fields you would like to display>> </query>
      <earliest>@d</earliest>
      <latest>now</latest>
    </search>
  </table>
0 Karma
Reply

splgeek
Explorer
‎11-22-2016 11:44 AM

Thanks
1st token Div was fine, it populated results in the dropdown

2nd token dept did not work- wont populate anything. - I tried this too | inputlookup All_Users.csv | where DEPARTMENT=$dept$ | dedup DEPARTMENT| fields DEPARTMENT| sort DEPARTMENT

also
when you say Add Table, what do you mean by that

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...