Dashboards & Visualizations

Is it possible to have multiple populating searches in a single drop down menu?

macadminrohit
Contributor

Is it possible to have multiple populating searches in a single drop down menu?

  <label>Select a CITY</label>
  <default>*</default>
  <choice value="*">All Cities</choice>
  <fieldForLabel>CityName</fieldForLabel>
  <fieldForValue>CITY</fieldForValue>
  <search base="lookup_csv">
    <query>search OPEN="Y" AND EXIST ="Y" | search TimeZone=$TimeZone$ AND Territory=$Territory$ AND Region=$Region$ AND District=$District$ AND STATE=$State$  
    | sort CITY
    | eval CityName = CITY+"-"+CITY_NAME+"-"+STATE 
    | table CITY CityName</query>
  </search>
</input>

The base search gets me the City names from a lookup file. What i need now is to another option in the same drop down menu named as "Special Cities" which will populate the values from a different lookup file which i can define here. And when that option is selected by the user, the subsequent searches should use those values to search for the events.

Is it possible?

0 Karma
1 Solution

macadminrohit
Contributor
  <label>Select SPACE:</label>
  <default>WHOLE</default>
  <choice value="*">All SPACE</choice>
  <choice value="tech">TECH </choice>
  <fieldForLabel>spaceName</fieldForLabel>
  <fieldForValue>SPACE</fieldForValue>
  <search>
    <query> main search        | table SPACE spaceName</query>
  </search>
  <change>
    <condition value="WHOLE">
      <set token="TC_SPACE_FLAG">Y</set>
    </condition>
    <condition>
      <unset token="TC_SPACE_FLAG"></unset>
    </condition>
  </change>
  <suffix>*</suffix>
</input>
<input type="dropdown" token="MORE_SPACE" searchWhenChanged="true" depends="$HideIt$">
  <label>MORE_SPACE</label>
  <fieldForLabel>TS</fieldForLabel>
  <fieldForValue>TS</fieldForValue>
  <selectFirstChoice>true</selectFirstChoice>
  <search>
    <query> main query to get TS</query>
    <done>
      <set token="Space">$result.TS$</set>
    </done>
  </search>

So basically we are creating another drop down which we are hiding. So as soon as the corresponding drop down item is selected, all the items in the hidden drop down are invoked.

View solution in original post

0 Karma

macadminrohit
Contributor
  <label>Select SPACE:</label>
  <default>WHOLE</default>
  <choice value="*">All SPACE</choice>
  <choice value="tech">TECH </choice>
  <fieldForLabel>spaceName</fieldForLabel>
  <fieldForValue>SPACE</fieldForValue>
  <search>
    <query> main search        | table SPACE spaceName</query>
  </search>
  <change>
    <condition value="WHOLE">
      <set token="TC_SPACE_FLAG">Y</set>
    </condition>
    <condition>
      <unset token="TC_SPACE_FLAG"></unset>
    </condition>
  </change>
  <suffix>*</suffix>
</input>
<input type="dropdown" token="MORE_SPACE" searchWhenChanged="true" depends="$HideIt$">
  <label>MORE_SPACE</label>
  <fieldForLabel>TS</fieldForLabel>
  <fieldForValue>TS</fieldForValue>
  <selectFirstChoice>true</selectFirstChoice>
  <search>
    <query> main query to get TS</query>
    <done>
      <set token="Space">$result.TS$</set>
    </done>
  </search>

So basically we are creating another drop down which we are hiding. So as soon as the corresponding drop down item is selected, all the items in the hidden drop down are invoked.

0 Karma

niketn
Legend

@macadminrohit, I have converted your comment to Answer. Please accept the same to mark this as answered.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn
Legend

@macadminrohit, You can use append to add the results from second search to your current search. Make sure fields returned are same i.e. CITY, CITY_NAME and STATE.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Append#Examples
Without the actual fields in the second lookup special cities and lookup/lookup file name it will be tough assist you with exact query.

Also, your current search shows filter in base search as well as after first pipe. Make sure all your filters are in your base search if possible.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

macadminrohit
Contributor

Thanks Niket, There will be only one field name in the second lookup ( special cities) , which is just numbers
001, 002, 003 etc and the lookup name will be special_cities.csv

0 Karma

niketn
Legend

Ok so let me clarify the intent. Do you want to have static option "Special Cities" in Dropdown and when that is selected pass the special city codes from lookup to search? Is this correct?

What is the search you want to run is there a field corresponding to Special City codes in your indexed data?

I saw that you are using a base search to populate results in the dropdown but does not seem like this search is used for recursive post processing so it can be modified. However, based on answer to my previous question change to search might not be required.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

macadminrohit
Contributor

Yes the Special cities field values will be coming from another lookup which has just the list of special cities. So once that option is selected, we need all events related to those special cities field values.

Drop down will look something like this :

Select a City:
ALL CITIES
Special Cities
City1
City2
City3

So when the user selects ALL CITIES, by default a * is used as a field value in other searches. When Special Cities is selected, it should recursively take all values from the lookup and use in other searches.

0 Karma

macadminrohit
Contributor

We were able to do this, by adding some logic to the dashboard.

0 Karma

niketn
Legend

@macadminrohit, good to know that you were able to resolve this. I would request you to add the approach taken to resolve the issue and Accept the same to mark this question as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

macadminrohit
Contributor

And there are other searches in this dashboard which are using this base search so i cant really modify it.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...