Dashboards & Visualizations

How to exclude dedup when there is a dropdown select in splunk dashboard studio

spoo
Explorer

My dashboard has a dropdown "System" and few panels. Dropdown system has "A", "b", "c". If  i choose "A" from the dropdown, then panels should exclude these 2 lines -


| dedup time_day, name
| dedup ID


from the base search and execute.

Base :

| pivot XYZ_dm .....
| dedup time_day, name
| dedup ID
| table *

if I choose "b" or "c" from dropdown, base should execute as it is in all the panels.

Please suggest

Labels (4)
0 Karma
1 Solution

danspav
SplunkTrust
SplunkTrust

Hi @spoo,

If you are using Simple XML, here's how you can create a snippet of SPL and add it to your base search:

1. Create some conditions on your dropdown so when the user changes the input it will create a snippet of SPL in a new token.

If the user selects "System A" then we set the token to "|noop" which is just SPL that does nothing.
If the user selects "System B" or "System C" then it sets the token to "| dedup time_day, name | dedup ID"

 

<change>
        <condition label="System A">
          <set token="SPL">| noop</set>
        </condition>
        <condition label="System B">
          <set token="SPL">| dedup time_day, name | dedup ID</set>
        </condition>
        <condition label="System C">
          <set token="SPL">| dedup time_day, name | dedup ID</set>
        </condition>
      </change>​​

 

2. Add the token to your base search (or chain search)
Now we update the search to include the token where previously you had the |dedupe.. command:

 

 

 <search>
<query>| pivot XYZ_dm .....
$SPL$
| table *
</query>
</search>​

 

When the token is set to "|noop" it won't affect the search results. When it is "|dedup..."  it will add those commands to the search.

 

Here's the code in an example dashboard:

 

<form version="1.1">
  <label>My Dashboard</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="system">
      <label>System</label>
      <choice value="System A">System A</choice>
      <choice value="System B">System B</choice>
      <choice value="System C">System C</choice>
      <change>
        <condition label="System A">
          <set token="SPL">| noop</set>
        </condition>
        <condition label="System B">
          <set token="SPL">| dedup time_day, name | dedup ID</set>
        </condition>
        <condition label="System C">
          <set token="SPL">| dedup time_day, name | dedup ID</set>
        </condition>
      </change>
      <default>System A</default>
      <initialValue>System A</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>SPL=$SPL$</title>
      <event>
        <search>
          <query>| makeresults
$SPL$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="list.drilldown">none</option>
      </event>
    </panel>
  </row>
</form>

 

 

Hopefully that helps.

Cheers,
Daniel

View solution in original post

danspav
SplunkTrust
SplunkTrust

Hi @spoo,

If you are using Simple XML, here's how you can create a snippet of SPL and add it to your base search:

1. Create some conditions on your dropdown so when the user changes the input it will create a snippet of SPL in a new token.

If the user selects "System A" then we set the token to "|noop" which is just SPL that does nothing.
If the user selects "System B" or "System C" then it sets the token to "| dedup time_day, name | dedup ID"

 

<change>
        <condition label="System A">
          <set token="SPL">| noop</set>
        </condition>
        <condition label="System B">
          <set token="SPL">| dedup time_day, name | dedup ID</set>
        </condition>
        <condition label="System C">
          <set token="SPL">| dedup time_day, name | dedup ID</set>
        </condition>
      </change>​​

 

2. Add the token to your base search (or chain search)
Now we update the search to include the token where previously you had the |dedupe.. command:

 

 

 <search>
<query>| pivot XYZ_dm .....
$SPL$
| table *
</query>
</search>​

 

When the token is set to "|noop" it won't affect the search results. When it is "|dedup..."  it will add those commands to the search.

 

Here's the code in an example dashboard:

 

<form version="1.1">
  <label>My Dashboard</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="system">
      <label>System</label>
      <choice value="System A">System A</choice>
      <choice value="System B">System B</choice>
      <choice value="System C">System C</choice>
      <change>
        <condition label="System A">
          <set token="SPL">| noop</set>
        </condition>
        <condition label="System B">
          <set token="SPL">| dedup time_day, name | dedup ID</set>
        </condition>
        <condition label="System C">
          <set token="SPL">| dedup time_day, name | dedup ID</set>
        </condition>
      </change>
      <default>System A</default>
      <initialValue>System A</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>SPL=$SPL$</title>
      <event>
        <search>
          <query>| makeresults
$SPL$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="list.drilldown">none</option>
      </event>
    </panel>
  </row>
</form>

 

 

Hopefully that helps.

Cheers,
Daniel

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...