Dashboards & Visualizations

How to create dropdown menu from multiple sources?

michael_vi
Path Finder

Hi all,

I need to create 2 drop down fields that depend on each other from several source:

 

| makeresults
| eval name = "a"
| eval value = mvappend("1","2","3","4","5")
| union
[| makeresults
| eval name = "b"
| eval value = mvappend("a","b","c","d","e")
]
| union
[| makeresults
| eval name = "c"
| eval value = mvappend("qq","ss","ff","gg","rr")
]
| table name value
| stats values(*) as * by name value

When I choose A, I get only A values. B - only B values and etc.

The queries are coming from several sources, so I can't append or union, I need to create token for each value.

Please assist

Name Value
A A values
Labels (3)
0 Karma

michael_vi
Path Finder

I need to create one drop down for all the sources.

Under input name I'll have A | B | C and each time I choose the name, I'' see the corresponding values in the Value input

query 1
set token = query1

query 2
set token = query2

query 3
set token = query3

And the drop down input will present all 3 name

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you share the simple XML for your drop downs in a code block </> please?

0 Karma

michael_vi
Path Finder
<form>
  <label>dropdown_</label>
  <search id="base1">
    <query>| makeresults
| eval name = "Disney"
| eval value = mvappend("Mickey Mouse","Donald Duck","Dumbo","Scooby","Olaf")
| table name value
| stats values(*) as * by name value</query>
    <sampleRatio>1</sampleRatio>
    <done>
      <set token="value_tok">$result.value$</set>
    </done>
  </search>
  <search id="base2">
    <query>| makeresults
| eval name = "WB"
| eval value = mvappend("Pinky","Brain","Daffy Duck","Bugs","Batman")
| table name value
| stats values(*) as * by name value</query>
    <sampleRatio>1</sampleRatio>
    <done>
      <set token="value_tok">$result.value$</set>
    </done>
  </search>
  <search id="base3">
    <query>| makeresults
| eval name = "SesameStreet"
| eval value = mvappend("Elmo","Bert","Big Bird","Kermit","Ernie")
| table name value
| stats values(*) as * by name value</query>
    <sampleRatio>1</sampleRatio>
    <done>
      <set token="value_tok">$result.value$</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="name_tok">
      <label>Name</label>
      <choice value="Disney">Disney</choice>
      <choice value="WB">WB</choice>
      <choice value="SesameStreet">SesameStreet</choice>
      <change>
        <condition value="Disney">
          <set token="disney_tok">true</set>
          <unset token="wb_tok"></unset>
          <unset token="sesame_tok"></unset>
        </condition>
        <condition value="WB">
          <unset token="disney_tok"></unset>
          <set token="wb_tok">true</set>
          <unset token="sesame_tok"></unset>
        </condition>
        <condition value="SesameStreet">
          <unset token="disney_tok"></unset>
          <unset token="wb_tok"></unset>
          <set token="sesame_tok">true</set>
        </condition>
      </change>
    </input>
    <input type="dropdown" token="value_tok">
      <label>field1</label>
      <fieldForLabel>value</fieldForLabel>
      <fieldForValue>value</fieldForValue>
      <search>
        <query>| search name = "$name_tok$" 
| search value = "$value_tok$"</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel depends="$disney_tok$">
      <table>
        <search base="base1">
          <query>| table * 
| search name = "$name_tok$"
| search value = "$value_tok$"</query>
        </search>
        <option name="count">50</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$wb_tok$">
      <table>
        <search base="base2">
          <query>| table *
| search name = "$name_tok$"
| search value = "$value_tok$"</query>
        </search>
        <option name="count">50</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$sesame_tok$">
      <table>
        <search base="base3">
          <query>| table *
| search name = "$name_tok$"
| search value = "$value_tok$"</query>
        </search>
        <option name="count">50</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

I need for the second drop down to be connected to first drop down and to each table

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

<form>
  <label>dropdown_</label>
  <search id="base1">
    <query>| makeresults
| eval name = "Disney"
| eval value = mvappend("Mickey Mouse","Donald Duck","Dumbo","Scooby","Olaf")
| table name value
| stats values(*) as * by name value</query>
    <sampleRatio>1</sampleRatio>
  </search>
  <search id="base2">
    <query>| makeresults
| eval name = "WB"
| eval value = mvappend("Pinky","Brain","Daffy Duck","Bugs","Batman")
| table name value
| stats values(*) as * by name value</query>
    <sampleRatio>1</sampleRatio>
  </search>
  <search id="base3">
    <query>| makeresults
| eval name = "SesameStreet"
| eval value = mvappend("Elmo","Bert","Big Bird","Kermit","Ernie")
| table name value
| stats values(*) as * by name value</query>
    <sampleRatio>1</sampleRatio>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="name_tok">
      <label>Name</label>
      <choice value="| makeresults 
| eval name = &quot;Disney&quot;
| eval value = mvappend(&quot;Mickey Mouse&quot;,&quot;Donald Duck&quot;,&quot;Dumbo&quot;,&quot;Scooby&quot;,&quot;Olaf&quot;)
| table name value
| stats values(*) as * by name value">Disney</choice>
      <choice value="| makeresults
| eval name = &quot;WB&quot;
| eval value = mvappend(&quot;Pinky&quot;,&quot;Brain&quot;,&quot;Daffy Duck&quot;,&quot;Bugs&quot;,&quot;Batman&quot;)
| table name value
| stats values(*) as * by name value">WB</choice>
      <choice value="| makeresults
| eval name = &quot;SesameStreet&quot;
| eval value = mvappend(&quot;Elmo&quot;,&quot;Bert&quot;,&quot;Big Bird&quot;,&quot;Kermit&quot;,&quot;Ernie&quot;)
| table name value
| stats values(*) as * by name value">SesameStreet</choice>
      <change>
        <condition label="Disney">
          <set token="disney_tok">true</set>
          <unset token="wb_tok"></unset>
          <unset token="sesame_tok"></unset>
          <unset token="form.value_tok"></unset>
        </condition>
        <condition label="WB">
          <unset token="disney_tok"></unset>
          <set token="wb_tok">true</set>
          <unset token="sesame_tok"></unset>
          <unset token="form.value_tok"></unset>
        </condition>
        <condition label="SesameStreet">
          <unset token="disney_tok"></unset>
          <unset token="wb_tok"></unset>
          <set token="sesame_tok">true</set>
          <unset token="form.value_tok"></unset>
        </condition>
      </change>
    </input>
    <input type="dropdown" token="value_tok">
      <label>field1</label>
      <fieldForLabel>value</fieldForLabel>
      <fieldForValue>value</fieldForValue>
      <search>
        <query>$name_tok$</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel depends="$disney_tok$">
      <table>
        <search base="base1">
          <query></query>
        </search>
        <option name="count">50</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$wb_tok$">
      <table>
        <search base="base2">
          <query></query>
        </search>
        <option name="count">50</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$sesame_tok$">
      <table>
        <search base="base3">
          <query></query>
        </search>
        <option name="count">50</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

michael_vi
Path Finder

That will work if you know the values of the "values" column, but I don't.

For example: 

| makeresults count=10
| eval name = "Disney"
| eval value = "user".random() % 100
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What makes you think it won't work?

<form>
  <label>dropdown_</label>
  <search id="base1">
    <query>| makeresults count=10
| eval name = "Disney"
| eval value = "user".random()%10</query>
    <sampleRatio>1</sampleRatio>
  </search>
  <search id="base2">
    <query>| makeresults count=10
| eval name = "WB"
| eval value = "user".random()%10</query>
    <sampleRatio>1</sampleRatio>
  </search>
  <search id="base3">
    <query>| makeresults count=10
| eval name = "SesameStreet"
| eval value = "user".random()%10</query>
    <sampleRatio>1</sampleRatio>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="name_tok">
      <label>Name</label>
      <choice value="| makeresults count=10
| eval name = &quot;Disney&quot;
| eval value = &quot;user&quot;.random()%10">Disney</choice>
      <choice value="| makeresults count=10
| eval name = &quot;WB&quot;
| eval value = &quot;user&quot;.random()%10">WB</choice>
      <choice value="| makeresults count=10
| eval name = &quot;SesameStreet&quot;
| eval value = &quot;user&quot;.random()%10">SesameStreet</choice>
      <change>
        <condition label="Disney">
          <set token="disney_tok">true</set>
          <unset token="wb_tok"></unset>
          <unset token="sesame_tok"></unset>
          <unset token="form.value_tok"></unset>
        </condition>
        <condition label="WB">
          <unset token="disney_tok"></unset>
          <set token="wb_tok">true</set>
          <unset token="sesame_tok"></unset>
          <unset token="form.value_tok"></unset>
        </condition>
        <condition label="SesameStreet">
          <unset token="disney_tok"></unset>
          <unset token="wb_tok"></unset>
          <set token="sesame_tok">true</set>
          <unset token="form.value_tok"></unset>
        </condition>
      </change>
    </input>
    <input type="dropdown" token="value_tok">
      <label>field1</label>
      <fieldForLabel>value</fieldForLabel>
      <fieldForValue>value</fieldForValue>
      <search>
        <query>$name_tok$</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel depends="$disney_tok$">
      <table>
        <search base="base1">
          <query></query>
        </search>
        <option name="count">50</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$wb_tok$">
      <table>
        <search base="base2">
          <query></query>
        </search>
        <option name="count">50</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$sesame_tok$">
      <table>
        <search base="base3">
          <query></query>
        </search>
        <option name="count">50</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

If you are still experiencing problems, please be more specific about your usecase.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If I understand correctly, you have two drop downs and you want the selection made in the first to influence the values available in the second?

Set the value for each label in the first to be something that can be used in the construction of the second, e.g. makeresults | eval value = split($firsttoken$, " ") | mvexpand value | eval label = value

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...