Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to exclude dedup when there is a dropdown sele...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My dashboard has a dropdown "System" and few panels. Dropdown system has "A", "b", "c". If i choose "A" from the dropdown, then panels should exclude these 2 lines -
| dedup time_day, name
| dedup ID
from the base search and execute.
Base :
| pivot XYZ_dm .....
| dedup time_day, name
| dedup ID
| table *
if I choose "b" or "c" from dropdown, base should execute as it is in all the panels.
Please suggest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @spoo,
If you are using Simple XML, here's how you can create a snippet of SPL and add it to your base search:
1. Create some conditions on your dropdown so when the user changes the input it will create a snippet of SPL in a new token.
If the user selects "System A" then we set the token to "|noop" which is just SPL that does nothing.
If the user selects "System B" or "System C" then it sets the token to "| dedup time_day, name | dedup ID"
<change>
<condition label="System A">
<set token="SPL">| noop</set>
</condition>
<condition label="System B">
<set token="SPL">| dedup time_day, name | dedup ID</set>
</condition>
<condition label="System C">
<set token="SPL">| dedup time_day, name | dedup ID</set>
</condition>
</change>
2. Add the token to your base search (or chain search)
Now we update the search to include the token where previously you had the |dedupe.. command:
<search>
<query>| pivot XYZ_dm .....
$SPL$
| table *
</query>
</search>
When the token is set to "|noop" it won't affect the search results. When it is "|dedup..." it will add those commands to the search.
Here's the code in an example dashboard:
<form version="1.1">
<label>My Dashboard</label>
<fieldset submitButton="false">
<input type="dropdown" token="system">
<label>System</label>
<choice value="System A">System A</choice>
<choice value="System B">System B</choice>
<choice value="System C">System C</choice>
<change>
<condition label="System A">
<set token="SPL">| noop</set>
</condition>
<condition label="System B">
<set token="SPL">| dedup time_day, name | dedup ID</set>
</condition>
<condition label="System C">
<set token="SPL">| dedup time_day, name | dedup ID</set>
</condition>
</change>
<default>System A</default>
<initialValue>System A</initialValue>
</input>
</fieldset>
<row>
<panel>
<title>SPL=$SPL$</title>
<event>
<search>
<query>| makeresults
$SPL$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="list.drilldown">none</option>
</event>
</panel>
</row>
</form>
Hopefully that helps.
Cheers,
Daniel
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @spoo,
If you are using Simple XML, here's how you can create a snippet of SPL and add it to your base search:
1. Create some conditions on your dropdown so when the user changes the input it will create a snippet of SPL in a new token.
If the user selects "System A" then we set the token to "|noop" which is just SPL that does nothing.
If the user selects "System B" or "System C" then it sets the token to "| dedup time_day, name | dedup ID"
<change>
<condition label="System A">
<set token="SPL">| noop</set>
</condition>
<condition label="System B">
<set token="SPL">| dedup time_day, name | dedup ID</set>
</condition>
<condition label="System C">
<set token="SPL">| dedup time_day, name | dedup ID</set>
</condition>
</change>
2. Add the token to your base search (or chain search)
Now we update the search to include the token where previously you had the |dedupe.. command:
<search>
<query>| pivot XYZ_dm .....
$SPL$
| table *
</query>
</search>
When the token is set to "|noop" it won't affect the search results. When it is "|dedup..." it will add those commands to the search.
Here's the code in an example dashboard:
<form version="1.1">
<label>My Dashboard</label>
<fieldset submitButton="false">
<input type="dropdown" token="system">
<label>System</label>
<choice value="System A">System A</choice>
<choice value="System B">System B</choice>
<choice value="System C">System C</choice>
<change>
<condition label="System A">
<set token="SPL">| noop</set>
</condition>
<condition label="System B">
<set token="SPL">| dedup time_day, name | dedup ID</set>
</condition>
<condition label="System C">
<set token="SPL">| dedup time_day, name | dedup ID</set>
</condition>
</change>
<default>System A</default>
<initialValue>System A</initialValue>
</input>
</fieldset>
<row>
<panel>
<title>SPL=$SPL$</title>
<event>
<search>
<query>| makeresults
$SPL$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="list.drilldown">none</option>
</event>
</panel>
</row>
</form>
Hopefully that helps.
Cheers,
Daniel
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
