- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to exclude dedup when there is a dropdown sele...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My dashboard has a dropdown "System" and few panels. Dropdown system has "A", "b", "c". If i choose "A" from the dropdown, then panels should exclude these 2 lines -
| dedup time_day, name
| dedup ID
from the base search and execute.
Base :
| pivot XYZ_dm .....
| dedup time_day, name
| dedup ID
| table *
if I choose "b" or "c" from dropdown, base should execute as it is in all the panels.
Please suggest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @spoo,
If you are using Simple XML, here's how you can create a snippet of SPL and add it to your base search:
1. Create some conditions on your dropdown so when the user changes the input it will create a snippet of SPL in a new token.
If the user selects "System A" then we set the token to "|noop" which is just SPL that does nothing.
If the user selects "System B" or "System C" then it sets the token to "| dedup time_day, name | dedup ID"
<change>
<condition label="System A">
<set token="SPL">| noop</set>
</condition>
<condition label="System B">
<set token="SPL">| dedup time_day, name | dedup ID</set>
</condition>
<condition label="System C">
<set token="SPL">| dedup time_day, name | dedup ID</set>
</condition>
</change>
2. Add the token to your base search (or chain search)
Now we update the search to include the token where previously you had the |dedupe.. command:
<search>
<query>| pivot XYZ_dm .....
$SPL$
| table *
</query>
</search>
When the token is set to "|noop" it won't affect the search results. When it is "|dedup..." it will add those commands to the search.
Here's the code in an example dashboard:
<form version="1.1">
<label>My Dashboard</label>
<fieldset submitButton="false">
<input type="dropdown" token="system">
<label>System</label>
<choice value="System A">System A</choice>
<choice value="System B">System B</choice>
<choice value="System C">System C</choice>
<change>
<condition label="System A">
<set token="SPL">| noop</set>
</condition>
<condition label="System B">
<set token="SPL">| dedup time_day, name | dedup ID</set>
</condition>
<condition label="System C">
<set token="SPL">| dedup time_day, name | dedup ID</set>
</condition>
</change>
<default>System A</default>
<initialValue>System A</initialValue>
</input>
</fieldset>
<row>
<panel>
<title>SPL=$SPL$</title>
<event>
<search>
<query>| makeresults
$SPL$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="list.drilldown">none</option>
</event>
</panel>
</row>
</form>
Hopefully that helps.
Cheers,
Daniel
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @spoo,
If you are using Simple XML, here's how you can create a snippet of SPL and add it to your base search:
1. Create some conditions on your dropdown so when the user changes the input it will create a snippet of SPL in a new token.
If the user selects "System A" then we set the token to "|noop" which is just SPL that does nothing.
If the user selects "System B" or "System C" then it sets the token to "| dedup time_day, name | dedup ID"
<change>
<condition label="System A">
<set token="SPL">| noop</set>
</condition>
<condition label="System B">
<set token="SPL">| dedup time_day, name | dedup ID</set>
</condition>
<condition label="System C">
<set token="SPL">| dedup time_day, name | dedup ID</set>
</condition>
</change>
2. Add the token to your base search (or chain search)
Now we update the search to include the token where previously you had the |dedupe.. command:
<search>
<query>| pivot XYZ_dm .....
$SPL$
| table *
</query>
</search>
When the token is set to "|noop" it won't affect the search results. When it is "|dedup..." it will add those commands to the search.
Here's the code in an example dashboard:
<form version="1.1">
<label>My Dashboard</label>
<fieldset submitButton="false">
<input type="dropdown" token="system">
<label>System</label>
<choice value="System A">System A</choice>
<choice value="System B">System B</choice>
<choice value="System C">System C</choice>
<change>
<condition label="System A">
<set token="SPL">| noop</set>
</condition>
<condition label="System B">
<set token="SPL">| dedup time_day, name | dedup ID</set>
</condition>
<condition label="System C">
<set token="SPL">| dedup time_day, name | dedup ID</set>
</condition>
</change>
<default>System A</default>
<initialValue>System A</initialValue>
</input>
</fieldset>
<row>
<panel>
<title>SPL=$SPL$</title>
<event>
<search>
<query>| makeresults
$SPL$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="list.drilldown">none</option>
</event>
</panel>
</row>
</form>
Hopefully that helps.
Cheers,
Daniel
Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...
Preparing your Splunk Environment for OpenSSL3
Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector
