Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to pass values between 2 input lookups?

phwork
Explorer
‎01-26-2023 06:51 AM

Hello

I have 2 lookups.

The first one will be getting inputs from a dashboard and getting saved to the lookup(for example: a column called <username>).

The second lookup has the same data from the first lookup with additional information(for example : columns called <username>,<usercity>,<userstate> ,<usercountry>).

I'm trying to take the inputs from the first lookup > use information from the second lookup> and map it out using a clustermap. 

Can someone help me with the spl ?

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-26-2023 08:26 AM

Hi @phwork,

let me understand: you have two lookups, both have the same first column and the second has more columns.

You want to use the first as input dropdown for the second to display in dashboard, is it correct?

If this is your need, only one question: why you want to use two lookups instead only one (obviously the complete one)?

you could try something like this :

<form>
  <label>test</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="username" searchWhenChanged="true">
      <label>username</label>
      <choice value="*">All</choice>
      <search>
        <query>| inputlookup your_lookup.csv | fields username</query>
        <earliest>$Time.earliest$</earliest>
        <latest>$Time.latest$</latest>
      </search>
      <fieldForLabel>username</fieldForLabel>
      <fieldForValue>username</fieldForValue>
      <default>*</default>
      <prefix>username="</prefix>
      <suffix>"</suffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>
             | inputlookup your_lookup.csv WHERE $username$
             | table username usercity userstate
          </query>
          <earliest>$Time.earliest$</earliest>
          <latest>$Time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Ciao.

Giuseppe

0 Karma
Reply

phwork
Explorer
‎01-26-2023 08:43 AM

Hello

Thank you for your reply.

The reason for having 2 lookups is that the  first one contains only 50 and a few more as the users enter them in. The second lookup contains a list of 500 records.

Only the entries from the first lookup matter, and need to be displayed on the map using the information in the second table.

And both are on different dashboards, the users enter their information on one dashboard and the results are processed and displayed on another dashboard. It cant be on the same dash.

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...