Dashboards & Visualizations

How to update a drop-down based on the value selected in another drop-down with tokens?

markdflip
Path Finder

Let's say I have two drop-downs. The first drop-down represents a set of trials. Let's say there were three trials. The second drop-down represents runs in each trial.

Trials drop-down:

All
1
2
3

Tests drop-down:

All
1A
1B
1C
2A
2B
2C
3A
3B
3C

Is there a way to update the trials drop-down based on the Tests drop-down? Meaning if I select "1A" from Tests, that the Trials drop-down would change to "A" and display that value? All should be the default setting when the dashboard loads, but that's throwing me off with selectFirstChoice

0 Karma

gokadroid
Motivator

Assuming that:
1) trialsField has trials value
2) testsField has test values
3) trialsToken gets set when the value is selected by trialsDropdown
4) testsToken gets set when the value is selected by testsDropdown

Try below:

This dropdown below populates the list with trialsField and whatever user will select, the value of trialsField will be saved in trialsToken. "All" is kept as default value which will set "*" as a value.

<input type="dropdown" token="trialsToken" searchWhenChanged="true">
  <label>Trials Lable</label>
  <search>
    <query>query that populates the trials list |  stats count by trialsField| table trialsField</query>
    <earliest>earliest time for query</earliest>
    <latest>latest time for query</latest>
  </search>
  <fieldForLabel>trialsField</fieldForLabel>
  <fieldForValue>trialsField</fieldForValue>
  <choice value="*">All</choice>
</input>

Once the value of trialsField is received in trialsToken then this is used in the second dropdown, where:

  1. testsPrefix is evaluated from the testsFields i.e. "1" is extracted from testsField="1A"
  2. this testsPrefix is matched with trialsToken so you only receive "1A, 1B..." and populate the testsFields




    your Query to bring up the testsFields | eval testsPrefix=substr(testsField,1,1)| search testsPrefix="$trialsToken$"| stats count by testsField| table testsField
    earliest time for query
    latest time for query

    testsField
    testsField
    All

You can choose the desired substring indexes substr(testsField,1,1) as this one is actually taking out "1" out of "1A"
Also testsToken and trialsToken can then be used in other searches as well.

0 Karma

gokadroid
Motivator

If I understood correctly you want:

when you select "1" from Trials dropdown, Tests dropdown should populate "1A,1B,1C..." all the tests corresponding to Tests=1.

Also I am assuming you already have a field (field extraction) that has field values "1,2,3...." and "1A, 1B, 1C"
i.e.
testField will have values 1,2,3,...
trials field will have values 1A,1B,2A,2B...etc..

0 Karma

markdflip
Path Finder

You got it. The fields are slightly more complicated, but Trials are a substring of Tests.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...