Dashboards & Visualizations

I have 3 dropdown, when i select third one it shows all host instead of from the selected first two dropdown?

mikeyty07
Communicator
Suppose i have 3 column which has Name1, Name2, Host. Name 1 and Name2 could have more that 2 host. Name1 Name2 Host abc aaa 123, 234, 345 cde bbb 456. 333, 444 efg ccc 789, 666, 777 When i select abc aaa and in host i have static All with value *. So when i select abc aaa All it displays all host instead of the selected only from the previous dropdown. eg: abc--> aaa--> All. because i have that static options and that All only should display host from those dropdown if I select All but getting all logs of other host as well . Please help
Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @mikeyty07,

in your main search, you have 

 

index=* host=$host$ $search$

 

this means that you use in your search only the condition of the third dropdown, but if you use host=*, it takes all the hosts.

The only ways to filter also for name1 and name2 are two, when applicable:

  • if you have in your main search also name1 and name2,
  • you have to use a subsearch.

the first case is the easiest and you have only to add the conditions with name1 and name2 in the main search:

 

index=* host=$host$ $search$ Name1=$name1$ Name2=$name2$ 

 

If instead this in unapplicable, you have to use a subsearch, something like this:

 

index=* host=$host$ $search$ [ | inputlookup test.csv WHERE Name1=$name1$ AND Name2=$name2$ AND host=$host$ | dedup host | fields host ]

 

In this way you take only the hosts from the third dropdown.

Ciao.

Giuseppe 

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @mikeyty07,

your request isn't so clear, so, as @ITWhisperer asked, could you share your XML code?

Anyway, did you inserted the token of the first two dropdowns in the third?

Ciao.

Giuseppe

0 Karma

mikeyty07
Communicator

I have posted my XML in the other comment please check

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please share your Simple XML dropdowns and query where tokens are used

0 Karma

mikeyty07
Communicator

whenever i select from the first and second drop down it displays the host only from the first two but when i select All, displays all the host that are present in my csv file instead from only of the selected dropdown. Do i need to write some condition for the host in All to show only from the selected dropdown?

<form>
<label>test</label>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="field1" searchWhenChanged="true">
<label>Select Time Range</label>
<default>
<earliest>@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="name1" searchWhenChanged="true">
<label>Name1</label>
<fieldForLabel>Name1</fieldForLabel>
<fieldForValue>Name1</fieldForValue>
<search>
<query>|inputlookup test.csv |dedup Name1| table Name1</query>
<earliest>@d</earliest>
<latest>now</latest>
</search>
<choice value="*">All</choice>
<default>*</default>
</input>
<input type="dropdown" token="name2" searchWhenChanged="true">
<label>Name2</label>
<fieldForLabel>Name2</fieldForLabel>
<fieldForValue>Name2</fieldForValue>
<search>
<query>|inputlookup test.csv | search Name1=$name1$ | dedup Name2| table Name2</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="dropdown" token="host" searchWhenChanged="true">
<label>Host</label>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<search>
<query>|inputlookup test.csv | search Name1=$name1$ Name2=$name2$ |dedup host | table host</query>
<earliest>@d</earliest>
<latest>now</latest>
</search>
<choice value="*">All</choice>
<default>*</default>
</input>
<input type="text" token="search" searchWhenChanged="true">
<label>Search Text</label>
</input>
</fieldset>
<row>
<panel>
<title>Log Events</title>
<event>
<search>
<query>index=* host=$host$ $search$</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">50</option>
<option name="list.drilldown">full</option>
<option name="refresh.display">none</option>
<option name="table.drilldown">all</option>
<option name="type">list</option>
</event>
</panel>
</row>
</form>

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Another alternative is to preserve the list of hosts returned by the third dropdown query and use it when "All" is selected

<input type="dropdown" token="host" searchWhenChanged="true">
<label>Host</label>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<search>
<query>|inputlookup test.csv | search Name1=$name1$ Name2=$name2$ |dedup host | eventstats values(host) as allhosts | eval allhosts=mvjoin(allhosts,",")</query>
<earliest>@d</earliest>
<latest>now</latest>
<done>
<set token="allhosts">$result.allhosts$</set>
</done>
</search>
<choice value="All">All</choice>
<default>All</default>
<change>
<eval token="hostschosen">if($host$=="All",$allhosts$,$host$)</eval>
</change>
</input>
<input type="text" token="search" searchWhenChanged="true">
<label>Search Text</label>
</input>
</fieldset>
<row>
<panel>
<title>Log Events</title>
<event>
<search>
<query>index=* host IN ($hostschosen$) $search$</query>

mikeyty07
Communicator

This one works smooth as well Thanks for the response

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mikeyty07,

in your main search, you have 

 

index=* host=$host$ $search$

 

this means that you use in your search only the condition of the third dropdown, but if you use host=*, it takes all the hosts.

The only ways to filter also for name1 and name2 are two, when applicable:

  • if you have in your main search also name1 and name2,
  • you have to use a subsearch.

the first case is the easiest and you have only to add the conditions with name1 and name2 in the main search:

 

index=* host=$host$ $search$ Name1=$name1$ Name2=$name2$ 

 

If instead this in unapplicable, you have to use a subsearch, something like this:

 

index=* host=$host$ $search$ [ | inputlookup test.csv WHERE Name1=$name1$ AND Name2=$name2$ AND host=$host$ | dedup host | fields host ]

 

In this way you take only the hosts from the third dropdown.

Ciao.

Giuseppe 

mikeyty07
Communicator

Thank You works like a charm !!!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...