Dashboards & Visualizations

Multiple Dependent Form Inputs

adauria_splunk
Splunk Employee
Splunk Employee

Hi folks,

I'm trying to use the GUI Dashboard editor in 6.1.3 to create a dashboard with 2 drop down pickers based on dynamic searches. The first lets a user choose an account ID (assigns it to a token named "account":
sourcetype=du | dedup "L5 Account Name" | fields "L5 Account Name" | sort + "L5 Account Name"

The second shows the devices owned by that account, and lets you pick from that list (assigns to token "serialno" and is used in searches in dashboard):
sourcetype=du "L5 Account Name"=$account$| dedup "Serial Number" | fields "Serial Number" | sort +"Serial Number"

This seems to work OK initially, BUT if I change the first drop down to a different account, it doesn't dynamically reload the serial number values for the drop down on the 2nd form field picker.

Basically, I want to link the 2 drop downs so changing the value of the first one, repopulates the 2nd and clears the selection on it, also clearing the panel below that depend on that value. I have the box checked for "search on change" for the first account selection.

Thanks!

-Andrew

tdiestel
Path Finder

Did you ever find an answer to this? I am experience the exact same problem.

Thanks,
Tyler

0 Karma

ngatchasandra
Builder

I have understand that you want to link the both dropdown in other to when you select one “account” in the first dropdown, the second dropdown is populate by the values of serial Number which match it. Only remove "L5 Account Name"=$account$ in the second input dropdown populatingSearch and add the line that follow after the first "|" in this populatingSearch:

Search  $account$

Now, the code is look like this:

 <input type="dropdown" token="account">
   <label>Account</label>
   <populatingSearch fieldForLabel="L5 Account Name" fieldForValue="L5 Account Name">sourcetype=du | dedup "L5 Account Name" | fields "L5 Account Name" | sort + "L5 Account Name"</populatingSearch>
   <default>Customer International (Australia)</default>
 </input>
 <input type="dropdown" token="serialno" searchWhenChanged="true">
   <label>Device Serial Number</label>
   <populatingSearch earliest="0" latest="" fieldForLabel="Serial Number" fieldForValue="Serial Number">sourcetype=du   |search $account$ |dedup "Serial Number" | fields "Serial Number" | sort +"Serial Number"</populatingSearch>
   <default>7939123</default>
 </input>


 <panel>
   <table>

     <searchString>sourcetype=du "Serial Number"=$serialno$ | head 1 | rename "L5 Account Name" AS Account, "L5 Account Number" AS "Account Number" "Domestic Ult City" AS City | eval Location = tostring(lat)+", "+tostring(lon) + "  alt: " + tostring(alt) | table "Serial Number" Account "Account Number" City Location</searchString>
     <earliestTime>0</earliestTime>
     <latestTime/>
     <option name="wrap">true</option>
     <option name="rowNumbers">false</option>
     <option name="dataOverlayMode">none</option>
     <option name="drilldown">cell</option>
     <option name="count">10</option>
   </table>
 </panel>


 <panel>
   <map>

     <searchString>sourcetype = du "Serial Number" = $serialno$ | head 1 | geostats count</searchString>
     <earliestTime>0</earliestTime>
     <latestTime/>
     <option name="mapping.data.maxClusters">100</option>
     <option name="mapping.map.center">(0,0)</option>
     <option name="mapping.map.zoom">2</option>
     <option name="mapping.markerLayer.markerMaxSize">50</option>
     <option name="mapping.markerLayer.markerMinSize">10</option>
     <option name="mapping.markerLayer.markerOpacity">0.8</option>
     <option name="mapping.tileLayer.maxZoom">7</option>
     <option name="mapping.tileLayer.minZoom">0</option>
     <option name="drilldown">all</option>
   </map>
 </panel>
0 Karma

somesoni2
Revered Legend

You need to ass "searchWhenChanged" on first dropdown as well.

0 Karma

adauria_splunk
Splunk Employee
Splunk Employee

Thanks. That doesn't change anything, however...

0 Karma

somesoni2
Revered Legend

Can you post you dashboard xml (mask sensitive data)?

0 Karma

adauria_splunk
Splunk Employee
Splunk Employee

1.1 Find Device by Serial Number

<input type="dropdown" token="account">
  <label>Account</label>
  <populatingSearch fieldForLabel="L5 Account Name" fieldForValue="L5 Account Name">sourcetype=du | dedup "L5 Account Name" | fields "L5 Account Name" | sort + "L5 Account Name"</populatingSearch>
  <default>Customer International (Australia)</default>
</input>
<input type="dropdown" token="serialno" searchWhenChanged="true">
  <label>Device Serial Number</label>
  <populatingSearch earliest="0" latest="" fieldForLabel="Serial Number" fieldForValue="Serial Number">sourcetype=du "L5 Account Name"=$account$  | dedup "Serial Number" | fields "Serial Number" | sort +"Serial Number"</populatingSearch>
  <default>7939123</default>
</input>


<panel>
  <table>
    <title>Device Info</title>
    <searchString>sourcetype=du "Serial Number"=$serialno$ | head 1 | rename "L5 Account Name" AS Account, "L5 Account Number" AS "Account Number" "Domestic Ult City" AS City | eval Location = tostring(lat)+", "+tostring(lon) + "  alt: " + tostring(alt) | table "Serial Number" Account "Account Number" City Location</searchString>
    <earliestTime>0</earliestTime>
    <latestTime/>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>


<panel>
  <map>
    <title>Device Map</title>
    <searchString>sourcetype = du "Serial Number" = $serialno$ | head 1 | geostats count</searchString>
    <earliestTime>0</earliestTime>
    <latestTime/>
    <option name="mapping.data.maxClusters">100</option>
    <option name="mapping.map.center">(0,0)</option>
    <option name="mapping.map.zoom">2</option>
    <option name="mapping.markerLayer.markerMaxSize">50</option>
    <option name="mapping.markerLayer.markerMinSize">10</option>
    <option name="mapping.markerLayer.markerOpacity">0.8</option>
    <option name="mapping.tileLayer.maxZoom">7</option>
    <option name="mapping.tileLayer.minZoom">0</option>
    <option name="drilldown">all</option>
  </map>
</panel>
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...