Dashboards & Visualizations

How to create multiple nested filters in a dashboard?

msage
Path Finder

I'm looking to find a way to have multiple nested filters in a dashboard. Currently I'm creating attendance charts for our estaff and we require some more granularity due to the amount of unique data there is. The goal is to be able to isolate 3 values. Function, Hierarchy, and Cost Center. Currently there are 3 functions, 28 hierarchies, and nearly 200 cost centers. With the nested filters I hope to be able to choose a function which would only populate hierarchies under that function. Then when choosing a hierarchy only populating the cost centers under it. 

 

The issue I'm running into is that I'm able to create a two filters but once I add the 3rd filter the entire search breaks and the charts no longer update. 

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @msage,

you have to create three dopdowns releted with tokens, something like this:

    <input type="dropdown" token="scope">
      <label>Scope</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>code_scope="</prefix>
      <suffix>"</suffix>
      <fieldForLabel>description_scope</fieldForLabel>
      <fieldForValue>code_scope</fieldForValue>
      <search>
        <query>
          <your_search>
          | dedup code_scope
          | sort code_scope
          | table code_scope description_scope</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="dropdown" token="macroprocess">
      <label>Macro Process</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>code_macroprocess="</prefix>
      <suffix>"</suffix>
      <fieldForLabel>description_macroprocess</fieldForLabel>
      <fieldForValue>code_macroprocess</fieldForValue>
      <search>
        <query>
          <your_search> $scope$
          | dedup code_macroprocess
          | sort code_macroprocess
          | table code_macroprocess description_macroprocess
        </query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="dropdown" token="process">
      <label>Process</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>description_process</fieldForLabel>
      <fieldForValue>code_process</fieldForValue>
      <search>
        <query>
          <your_search> $scope$ $macroprocess$
          | dedup code_process
          | sort code_process
          | table code_process description_process</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <prefix>code_process="</prefix>
      <suffix>"</suffix>
    </input>

In few words: in the second dropdown you have to insert the first token and the third the first and the second.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @msage,

you have to create three dopdowns releted with tokens, something like this:

    <input type="dropdown" token="scope">
      <label>Scope</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>code_scope="</prefix>
      <suffix>"</suffix>
      <fieldForLabel>description_scope</fieldForLabel>
      <fieldForValue>code_scope</fieldForValue>
      <search>
        <query>
          <your_search>
          | dedup code_scope
          | sort code_scope
          | table code_scope description_scope</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="dropdown" token="macroprocess">
      <label>Macro Process</label>
      <choice value="*">All</choice>
      <default>*</default>
      <prefix>code_macroprocess="</prefix>
      <suffix>"</suffix>
      <fieldForLabel>description_macroprocess</fieldForLabel>
      <fieldForValue>code_macroprocess</fieldForValue>
      <search>
        <query>
          <your_search> $scope$
          | dedup code_macroprocess
          | sort code_macroprocess
          | table code_macroprocess description_macroprocess
        </query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="dropdown" token="process">
      <label>Process</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>description_process</fieldForLabel>
      <fieldForValue>code_process</fieldForValue>
      <search>
        <query>
          <your_search> $scope$ $macroprocess$
          | dedup code_process
          | sort code_process
          | table code_process description_process</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <prefix>code_process="</prefix>
      <suffix>"</suffix>
    </input>

In few words: in the second dropdown you have to insert the first token and the third the first and the second.

Ciao.

Giuseppe

msage
Path Finder

Looks like this solution worked! However I did have to make a tweak to make mine work. I added a line underneath the inputlookup and used the search command. And then in the actual chart I did the same and added all 3 tokens. Thank you for your help! 

<input type="dropdown" token="Function">
      <label>Function</label>
      <fieldForLabel>Function</fieldForLabel>
      <fieldForValue>Function</fieldForValue>
      <search>
        <query>|inputlookup all_users.csv |table Function |dedup Function</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
    <input type="dropdown" token="Hierarchy">
      <label>Hierarchy</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>Hierarchy</fieldForLabel>
      <fieldForValue>Hierarchy</fieldForValue>
      <search>
        <query>|inputlookup all_users.csv
|search Function="$Function$"
|table Hierarchy
|dedup Hierarchy</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="dropdown" token="Cost_Center">
      <label>Cost Center</label>
      <fieldForLabel>Cost_Center</fieldForLabel>
      <fieldForValue>Cost_Center</fieldForValue>
      <search>
        <query>|inputlookup all_users.csv |search Function="$Function$" Hierarchy="$Hierarchy$"
|table Cost_Center |dedup Cost_Center</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <choice value="*">All</choice>
      <default>*</default>
    </input>
  </fieldset>

 

0 Karma

jotne
Builder

I do use a base search to get all data in one go. The you have all variable search.

 

|inputlookup all_users.csv | search Function"$Functions$" +++

 

Then I use that base search in all Input/Dashboard/Table etc.

So if one input is changed. all other follows

 

Look at this Dashboard (that we use to get all server logs in one view)

 

<form version="1.5" theme="dark">
  <label>List of server log message</label>

  <search id="base_search">
    <query>
      index=_internal
      sourcetype=splunkd
      source="*splunkd.log"
      NOT source="*splunk*forwarder*splunkd.log"
      | rex "(?&lt;severity&gt;(?:INFO|WARN|ERROR))\s+(?&lt;module&gt;\S+)\s\[(?&lt;id&gt;\S+)\s(?&lt;sub&gt;[^\]]+)\]\s-(?:\s+(?&lt;message&gt;(?&lt;message_header&gt;\S+).*))?"
      | rex field=sub "(?&lt;sub&gt;HttpClientPollingThread)_(?&lt;Server&gt;.*)"
      | rex "(?&lt;ip&gt;\d+\.\d+\.\d+\.\d+)"
      | fillnull value="" Server ip
      | search 
        host="$Host$"
        severity="$Severity$"
        module="$Module$"
        sub="$Sub$"
        $Free$
        message_header="$MessageHeader$"
      | rename host as server
      | sort 0 - _time
      | table _time server severity module id sub Server message_header message ip
    </query>
  </search>
  <fieldset submitButton="false">
    <input type="time">
      <label></label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="Host">
      <label>Server</label>
      <search base="base_search">
        <query>
          | eval data=server
          | stats count by data
          | eval info=data." (".count.")"
          | sort -count
        </query>
      </search>
      <choice value="*">Any</choice>
      <fieldForLabel>info</fieldForLabel>
      <fieldForValue>data</fieldForValue>
      <default>*</default>
    </input>
    <input type="dropdown" token="Severity">
      <label>Severity</label>
      <search base="base_search">
        <query>
          | eval data=severity
          | stats count by data
          | eval info=data." (".count.")"
          | sort -count
        </query>
      </search>
      <choice value="*">Any</choice>
      <fieldForLabel>info</fieldForLabel>
      <fieldForValue>data</fieldForValue>
      <default>*</default>
    </input>
    <input type="dropdown" token="Module">
      <label>Module</label>
      <search base="base_search">
        <query>
          | eval data=module
          | stats count by data
          | eval info=data." (".count.")"
          | sort -count
        </query>
      </search>
      <choice value="*">Any</choice>
      <fieldForLabel>info</fieldForLabel>
      <fieldForValue>data</fieldForValue>
      <default>*</default>
    </input>
    <input type="dropdown" token="Sub">
      <label>Sub</label>
      <search base="base_search">
        <query>
          | eval data=sub
          | stats count by data
          | eval info=data." (".count.")"
          | sort -count
        </query>
      </search>
      <choice value="*">Any</choice>
      <fieldForLabel>info</fieldForLabel>
      <fieldForValue>data</fieldForValue>
      <default>*</default>
    </input>
    <input type="dropdown" token="MessageHeader">
      <label>Message Header</label>
      <search base="base_search">
        <query>
          | eval data=message_header
          | stats count by data
          | eval info=data." (".count.")"
          | sort -count
        </query>
      </search>
      <choice value="*">Any</choice>
      <fieldForLabel>info</fieldForLabel>
      <fieldForValue>data</fieldForValue>
      <default>*</default>
    </input>
    <input type="text" token="Free">
      <label>Free Text</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Server</title>
      <chart>
        <search base="base_search">
          <query>
            | timechart count by server limit=10
          </query>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">stacked</option>
      </chart>
    </panel>
    <panel>
      <title>Severity</title>
      <chart>
        <search base="base_search">
          <query>
            | timechart count by severity limit=10
          </query>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">stacked</option>
      </chart>
    </panel>
    <panel>
      <title>Module</title>
      <chart>
        <search base="base_search">
          <query>
            | timechart count by module limit=10
          </query>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">stacked</option>
      </chart>
    </panel>
    <panel>
      <title>Sub</title>
      <chart>
        <search base="base_search">
          <query>
            | timechart count by sub limit=10
          </query>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">stacked</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search base="base_search">
          <query>
          </query>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="server">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="severity">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="module">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="message_header">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="sub">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
        <format type="color" field="Server">
          <colorPalette type="sharedList"></colorPalette>
          <scale type="sharedCategory"></scale>
        </format>
      </table>
    </panel>
  </row>
</form>
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @msage,

yes correct!

Only two little minor addings:

instead use search, you could insert the condition using "WHERE" in inputlookup command, it's more efficient but not so relevant.

I'd also add a "sort" statement at the end of the search, to have sorted values in the dropdown.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...