Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiselect input not working as expected with use of base search in dashboard

ak0252
New Member
‎08-29-2024 06:27 AM

So i am using multiselect to take dynamic input from user and it is working fine when i have individual searches running to populate dynamic list for each input but since for all those inputs my base search is same so i had thought to use Splunk's base search feature to populate the list which works fine at first submit but now when the panels are loaded and user wants to change the value in multiselect input it does not list all the values which were available at first . So wanted to know if is there something we can do to have this working in same fashion as it works for individual dynamics searches meaning the underlying values which were returned at first should remain intact or at least when the user is selecting "All" option it should repopulate that list.

I had tried using tokens set unset and stuff but no luck. I also tried having different base search for multiselect dropdown and panel but that too didn't worked.

Following is xml with base search which has the issue of reselecting multiselect dropdown values after submission -

<form version="1.1" theme="light">
<label>testing Clone</label>
<search id="base_dropdown">
<query>index=main sourcetype=access_combined_wcookie status IN ($status_tok$) file IN ($file_tok$) itemId IN ($itemId_tok$)</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
<search id="base_panel">
<query>index=main sourcetype=access_combined_wcookie status IN ($status_tok$) file IN ($file_tok$) itemId IN ($itemId_tok$)</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
<fieldset submitButton="true" autoRun="true">
<input type="time" token="time_tok">
<label>Time</label>
<default>
<earliest>-7d@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="status_tok">
<label>status</label>
<choice value="*">All</choice>
<default>*</default>
<delimiter>,</delimiter>
<fieldForLabel>status</fieldForLabel>
<fieldForValue>status</fieldForValue>
<search base="base_dropdown">
<query>|stats count by status|sort 0 + status</query>
</search>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
<input type="multiselect" token="file_tok">
<label>file</label>
<choice value="*">All</choice>
<default>*</default>
<delimiter>,</delimiter>
<fieldForLabel>file</fieldForLabel>
<fieldForValue>file</fieldForValue>
<search base="base_dropdown">
<query>|stats count by file|sort 0 + file</query>
</search>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
<input type="multiselect" token="itemId_tok">
<label>itemId</label>
<choice value="*">All</choice>
<default>*</default>
<delimiter>,</delimiter>
<fieldForLabel>itemId</fieldForLabel>
<fieldForValue>itemId</fieldForValue>
<search base="base_dropdown">
<query>|stats count by itemId|sort 0 + itemId</query>
</search>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Count </title>
<search base="base_panel">
<query>| stats count</query>
<!--- <earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>-->
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>

 

Following is without base search for multiselect drop down which works as expected-

<form version="1.1" theme="light">
<label>testing</label>
<!--<search id="base_dropdown">
<query>index=main sourcetype=access_combined_wcookie status IN ($status_tok$) file IN ($file_tok$) itemId IN ($itemId_tok$)</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>-->
<search id="base_panel">
<query>index=main sourcetype=access_combined_wcookie status IN ($status_tok$) file IN ($file_tok$) itemId IN ($itemId_tok$)</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
<fieldset submitButton="true" autoRun="true">
<input type="time" token="time_tok">
<label>Time</label>
<default>
<earliest>-7d@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="status_tok">
<label>status</label>
<choice value="*">All</choice>
<default>*</default>
<delimiter>,</delimiter>
<fieldForLabel>status</fieldForLabel>
<fieldForValue>status</fieldForValue>
<search>
<query>index=main sourcetype=access_combined_wcookie earliest="$time_tok.earliest$" latest="$time_tok.latest$" |stats count by status|sort 0 + status</query>
</search>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
<input type="multiselect" token="file_tok">
<label>file</label>
<choice value="*">All</choice>
<default>*</default>
<delimiter>,</delimiter>
<fieldForLabel>file</fieldForLabel>
<fieldForValue>file</fieldForValue>
<search>
<query>index=main sourcetype=access_combined_wcookie earliest=$time_tok.earliest$ latest="$time_tok.latest$"|stats count by file|sort 0 + file</query>
</search>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
<input type="multiselect" token="itemId_tok">
<label>itemId</label>
<choice value="*">All</choice>
<default>*</default>
<delimiter>,</delimiter>
<fieldForLabel>itemId</fieldForLabel>
<fieldForValue>itemId</fieldForValue>
<search>
<query>index=main sourcetype=access_combined_wcookie earliest=$time_tok.earliest$ latest="$time_tok.latest$"|stats count by itemId|sort 0 + itemId</query>
</search>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Count</title>
<search base="base_panel">
<query>| stats count</query>
<!--- <earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>-->
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>

Dashboard 

Labels (2)
Labels
0 Karma
Reply

dural_yyz24
Explorer
‎08-29-2024 08:26 AM

Once the base search runs with the filtered status the results are all that is left over.  You need to isolate your inputs source from your results query.  In this case 2 or more base searches are needed.

Things I have done/learned while doing this.

- tstats search commands are much faster especially pulling single fields, use this if you can

- inputs have limits on displaying unique values, enable search and wildcard options for long lists, never over 1,000 unique values if I recall correctly

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...