I have a dashboard panel with input text field A that upon submitting the form, will be appended to column A in inputlookup X. But prior to appending, I need to validate if field A from inputlookup X matches any of the field values in field B in inputlookup Y. If field A from inputlookup X matches field B from inputlookup Y then display an error message and abort the append.
Any ideas on how to perform this sort of cross lookup validation?
Thanks so much.
The basic pattern you're describing is this:
1. Look up field A from event in file Y, where it is known as B
2. If there is a result in step 1, then output some sort of flag
3. Filter out all results with flag set
4. Append remaining items (if any) to file X
Look up field
A from event in file
Y, where it is known as
As I don't know if there are any other fields in file
Y, I'll just output
B again and name it
flag_field for demonstration purposes.
| lookup Y B AS A OUTPUT B as flag_field
This step also output the flag, so step 2 is accomplished.
Filter out all results with flag set
Here I'll use
where to look for events that do not have the field
flag_field (e.g. where it is null)
| where isnull(flag_field)
Append remaining items (if any) to file X
| outputlookup append=t X
If there were no results after the filter, this will have no effect.
your base search that contains events with field A | lookup Y B AS A OUTPUT B as flag_field | where isnull(flag_field) | outputlookup append=t X
@ elliotproebstel - thanks so much for your answer, that solution worked 🙂
Is there a way to display an alert box or something if there is a field match between field A on lookup X and field B on lookup Y - just to notify/alert the user that the entered value will NO be appended to lookup X.
Step 1: Set token
Edit the source code of your dashboard. Look for the
<search> element that you coded with the code above. You'll modify it like this:
<search> <query> ... </query> <earliest> ... </earliest> <latest> ... </latest> <done> <condition match"'job.resultCount' == 0"> <set token="show_alert">true</set> </condition> <condition> <unset token="show_alert" /> </condition> </done> </search>
Note: don't modify the elements I've denoted with
... - those are placeholders.
Step 2: Configure panel to display based on token setting
Add a panel to your dashboard that simply contains the alert you'd like to display. Edit the source code of the dashboard, and in the
<panel> element for the alert panel, add a
depends clause like this:
More info about showing and hiding content on a dashboard can be found here:
Awesome thanks. I used the "simple XML" route and added a conditional panel that hide/displays depending upon returned events.
As far as using JS, that means converting the panel from XML to HTML; is that correct? I came across this http://dev.splunk.com/view/SP-CAAAEM2 as far as configuring HTML panels; was wondering if you know of a more comprehensive developer guid on working with HTML panels; as in:
Thanks so much.
<dashboard> element like this:
<dashboard script="my_js_file.js">. Then place the JS file into
$SPLUNK_HOME/etc/apps/<appname>/appserver/static with appropriate permissions. To make Splunk pick up the new JS file, you'll need to do a debug/refresh by visiting:
I think this is a pretty comprehensive guide to get started on adding a JS file to your dashboard: