Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to pass values between 2 input lookups?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to pass values between 2 input lookups?
Hello
I have 2 lookups.
The first one will be getting inputs from a dashboard and getting saved to the lookup(for example: a column called <username>).
The second lookup has the same data from the first lookup with additional information(for example : columns called <username>,<usercity>,<userstate> ,<usercountry>).
I'm trying to take the inputs from the first lookup > use information from the second lookup> and map it out using a clustermap.
Can someone help me with the spl ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @phwork,
let me understand: you have two lookups, both have the same first column and the second has more columns.
You want to use the first as input dropdown for the second to display in dashboard, is it correct?
If this is your need, only one question: why you want to use two lookups instead only one (obviously the complete one)?
you could try something like this :
<form>
<label>test</label>
<fieldset submitButton="false">
<input type="dropdown" token="username" searchWhenChanged="true">
<label>username</label>
<choice value="*">All</choice>
<search>
<query>| inputlookup your_lookup.csv | fields username</query>
<earliest>$Time.earliest$</earliest>
<latest>$Time.latest$</latest>
</search>
<fieldForLabel>username</fieldForLabel>
<fieldForValue>username</fieldForValue>
<default>*</default>
<prefix>username="</prefix>
<suffix>"</suffix>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>
| inputlookup your_lookup.csv WHERE $username$
| table username usercity userstate
</query>
<earliest>$Time.earliest$</earliest>
<latest>$Time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
Thank you for your reply.
The reason for having 2 lookups is that the first one contains only 50 and a few more as the users enter them in. The second lookup contains a list of 500 records.
Only the entries from the first lookup matter, and need to be displayed on the map using the information in the second table.
And both are on different dashboards, the users enter their information on one dashboard and the results are processed and displayed on another dashboard. It cant be on the same dash.
Thanks
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
