Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiselect input not working as expected with use of base search in dashboard

ak0252
New Member
‎08-29-2024 06:27 AM

So i am using multiselect to take dynamic input from user and it is working fine when i have individual searches running to populate dynamic list for each input but since for all those inputs my base search is same so i had thought to use Splunk's base search feature to populate the list which works fine at first submit but now when the panels are loaded and user wants to change the value in multiselect input it does not list all the values which were available at first . So wanted to know if is there something we can do to have this working in same fashion as it works for individual dynamics searches meaning the underlying values which were returned at first should remain intact or at least when the user is selecting "All" option it should repopulate that list.

I had tried using tokens set unset and stuff but no luck. I also tried having different base search for multiselect dropdown and panel but that too didn't worked.

Following is xml with base search which has the issue of reselecting multiselect dropdown values after submission -

<form version="1.1" theme="light">
<label>testing Clone</label>
<search id="base_dropdown">
<query>index=main sourcetype=access_combined_wcookie status IN ($status_tok$) file IN ($file_tok$) itemId IN ($itemId_tok$)</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
<search id="base_panel">
<query>index=main sourcetype=access_combined_wcookie status IN ($status_tok$) file IN ($file_tok$) itemId IN ($itemId_tok$)</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
<fieldset submitButton="true" autoRun="true">
<input type="time" token="time_tok">
<label>Time</label>
<default>
<earliest>-7d@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="status_tok">
<label>status</label>
<choice value="*">All</choice>
<default>*</default>
<delimiter>,</delimiter>
<fieldForLabel>status</fieldForLabel>
<fieldForValue>status</fieldForValue>
<search base="base_dropdown">
<query>|stats count by status|sort 0 + status</query>
</search>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
<input type="multiselect" token="file_tok">
<label>file</label>
<choice value="*">All</choice>
<default>*</default>
<delimiter>,</delimiter>
<fieldForLabel>file</fieldForLabel>
<fieldForValue>file</fieldForValue>
<search base="base_dropdown">
<query>|stats count by file|sort 0 + file</query>
</search>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
<input type="multiselect" token="itemId_tok">
<label>itemId</label>
<choice value="*">All</choice>
<default>*</default>
<delimiter>,</delimiter>
<fieldForLabel>itemId</fieldForLabel>
<fieldForValue>itemId</fieldForValue>
<search base="base_dropdown">
<query>|stats count by itemId|sort 0 + itemId</query>
</search>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Count </title>
<search base="base_panel">
<query>| stats count</query>
<!--- <earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>-->
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>

 

Following is without base search for multiselect drop down which works as expected-

<form version="1.1" theme="light">
<label>testing</label>
<!--<search id="base_dropdown">
<query>index=main sourcetype=access_combined_wcookie status IN ($status_tok$) file IN ($file_tok$) itemId IN ($itemId_tok$)</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>-->
<search id="base_panel">
<query>index=main sourcetype=access_combined_wcookie status IN ($status_tok$) file IN ($file_tok$) itemId IN ($itemId_tok$)</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
<fieldset submitButton="true" autoRun="true">
<input type="time" token="time_tok">
<label>Time</label>
<default>
<earliest>-7d@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="status_tok">
<label>status</label>
<choice value="*">All</choice>
<default>*</default>
<delimiter>,</delimiter>
<fieldForLabel>status</fieldForLabel>
<fieldForValue>status</fieldForValue>
<search>
<query>index=main sourcetype=access_combined_wcookie earliest="$time_tok.earliest$" latest="$time_tok.latest$" |stats count by status|sort 0 + status</query>
</search>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
<input type="multiselect" token="file_tok">
<label>file</label>
<choice value="*">All</choice>
<default>*</default>
<delimiter>,</delimiter>
<fieldForLabel>file</fieldForLabel>
<fieldForValue>file</fieldForValue>
<search>
<query>index=main sourcetype=access_combined_wcookie earliest=$time_tok.earliest$ latest="$time_tok.latest$"|stats count by file|sort 0 + file</query>
</search>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
<input type="multiselect" token="itemId_tok">
<label>itemId</label>
<choice value="*">All</choice>
<default>*</default>
<delimiter>,</delimiter>
<fieldForLabel>itemId</fieldForLabel>
<fieldForValue>itemId</fieldForValue>
<search>
<query>index=main sourcetype=access_combined_wcookie earliest=$time_tok.earliest$ latest="$time_tok.latest$"|stats count by itemId|sort 0 + itemId</query>
</search>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Count</title>
<search base="base_panel">
<query>| stats count</query>
<!--- <earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>-->
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>

Dashboard 

Labels (2)
Labels
0 Karma
Reply

dural_yyz24
Explorer
‎08-29-2024 08:26 AM

Once the base search runs with the filtered status the results are all that is left over.  You need to isolate your inputs source from your results query.  In this case 2 or more base searches are needed.

Things I have done/learned while doing this.

- tstats search commands are much faster especially pulling single fields, use this if you can

- inputs have limits on displaying unique values, enable search and wildcard options for long lists, never over 1,000 unique values if I recall correctly

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...