Dashboards & Visualizations

How to use token in a multi-select form input?

zacksoft
Contributor

In the dashboard, I have created three multi-select input fields.
CONTINENT, COUNTRY , STATE

Example : When I click on the CONTINENT drop down as "Asia", the COUNTRY drop down multiselect field automatically populates with asian coutries such as India, China, Japan etc... Now I select "India" in the COUNTRY field and STATE gets populated with Indian States such as Delhi, Goa etc... This works fine.
Say, for STATE the background spl running for the multiselect value population is something like this

index = $continent_token$ | host=$country_token$ | table STATE

The issue arises, when I select multiple values in any of the fields, then the next field doesn't populate any values. It only works when I select one field. Example : If I multi-select INDIA and CHINA under COUNTRY field then the STATES doen't populate anything. If i select only one, then only it populates.

Could anyone guide me on how to deal with this????
I want to be able to see the STATES of both INDIA and CHINA if I select (multiselect 2 countries) .

Just to add more clarification. In our system index value is CONTINENT, COUTRY is HOST and STATE is SourceType
So basically looking to select multiple hosts and then should able to see sourcetypes from all those hosts to be populated. Also to be able to select multiple indexes and the hosts of all those selected indices should come.

Thank you.

0 Karma
1 Solution

493669
Super Champion

Hi @zacksoft, Use below multiselect token for country-

  <input type="multiselect" token="host">
      <label>select Country</label>
      <fieldForLabel>Vehicle</fieldForLabel>
      <fieldForValue>Vehicle</fieldForValue>
      <search id="idSearchSelectIndex">
        <query>your query</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
         </search>
      <default></default>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>host="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR  </delimiter>
    </input>

then use below query for state populaion-

index = $continent_token$ $host$ | table STATE

View solution in original post

0 Karma

jamin358
Explorer

You can also use the IN component of search. When you have select multiple items in a multi-select dropdown, they are appended in a comma separated list.

Try the following. 

index IN ($continent_token$) host IN ($country_token$)

 Note also, you shouldn't have pipes in between search terms.

0 Karma

TISKAR
Builder

Hello,

Is a simple example to use multiselect, you can copy and past this example to have idea:

<fieldset submitButton="false">
    <input type="multiselect" token="index">
      <label>index</label>
      <choice value="_internal">_internal</choice>
      <choice value="_introspection">_introspection</choice>
      <choice value="_audit">_audit</choice>
      <choice value="_telemetry">_telemetry</choice>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>index=</valuePrefix>
      <delimiter> OR </delimiter>
    </input>
    <input type="multiselect" token="sourcetype">
      <label>sourcetype</label>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>sourcetype=</valuePrefix>
      <delimiter> OR </delimiter>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>$index$ | dedup sourcetype | table sourcetype</query>
<earliest>-24h@h</earliest>
    <latest>now</latest>
  </search>
</input>
0 Karma

493669
Super Champion

Hi @zacksoft, Use below multiselect token for country-

  <input type="multiselect" token="host">
      <label>select Country</label>
      <fieldForLabel>Vehicle</fieldForLabel>
      <fieldForValue>Vehicle</fieldForValue>
      <search id="idSearchSelectIndex">
        <query>your query</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
         </search>
      <default></default>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>host="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR  </delimiter>
    </input>

then use below query for state populaion-

index = $continent_token$ $host$ | table STATE
0 Karma

zacksoft
Contributor

I used as you suggested near COUNTRY (i.e. near host)

<input type="multiselect" token="choose_host" searchWhenChanged="true">
      <label>Step-2 &gt;&gt;  Host</label>
      <fieldForLabel>Vehicle</fieldForLabel>
      <fieldForValue>Vehicle</fieldForValue>
      <search id="idSearchSelectIndex"> 
       <query>index = $choose_index$ | table host | dedup host</query>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
        <default></default>
       <prefix>(</prefix>
       <suffix>)</suffix>
       <valuePrefix>host="</valuePrefix>
       <valueSuffix>"</valueSuffix>
       <delimiter> OR  </delimiter>
      </search>
    </input>

But after selecting one index(CONTINENT) , nothing populates in host(Country).
It shows the error "
Duplicate values causing conflic"

0 Karma

zacksoft
Contributor

@493669 But I got the idea, on how to deal with it.
Thank you for pointing me towards the right direction.

0 Karma

zacksoft
Contributor

@493669 - Just to add more clarification. In our system index value is CONTINENT, COUTRY is HOST and STATE is SourceType
So basically looking to select multiple hosts and then should able to see sourcetypes from all those hosts to be populated. Also to be able to select multiple index and the hosts of all those selected indices should come.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...