Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiselect input not working as expected with use of base search in dashboard

ak0252
New Member
‎08-29-2024 06:27 AM

So i am using multiselect to take dynamic input from user and it is working fine when i have individual searches running to populate dynamic list for each input but since for all those inputs my base search is same so i had thought to use Splunk's base search feature to populate the list which works fine at first submit but now when the panels are loaded and user wants to change the value in multiselect input it does not list all the values which were available at first . So wanted to know if is there something we can do to have this working in same fashion as it works for individual dynamics searches meaning the underlying values which were returned at first should remain intact or at least when the user is selecting "All" option it should repopulate that list.

I had tried using tokens set unset and stuff but no luck. I also tried having different base search for multiselect dropdown and panel but that too didn't worked.

Following is xml with base search which has the issue of reselecting multiselect dropdown values after submission -

<form version="1.1" theme="light">
<label>testing Clone</label>
<search id="base_dropdown">
<query>index=main sourcetype=access_combined_wcookie status IN ($status_tok$) file IN ($file_tok$) itemId IN ($itemId_tok$)</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
<search id="base_panel">
<query>index=main sourcetype=access_combined_wcookie status IN ($status_tok$) file IN ($file_tok$) itemId IN ($itemId_tok$)</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
<fieldset submitButton="true" autoRun="true">
<input type="time" token="time_tok">
<label>Time</label>
<default>
<earliest>-7d@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="status_tok">
<label>status</label>
<choice value="*">All</choice>
<default>*</default>
<delimiter>,</delimiter>
<fieldForLabel>status</fieldForLabel>
<fieldForValue>status</fieldForValue>
<search base="base_dropdown">
<query>|stats count by status|sort 0 + status</query>
</search>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
<input type="multiselect" token="file_tok">
<label>file</label>
<choice value="*">All</choice>
<default>*</default>
<delimiter>,</delimiter>
<fieldForLabel>file</fieldForLabel>
<fieldForValue>file</fieldForValue>
<search base="base_dropdown">
<query>|stats count by file|sort 0 + file</query>
</search>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
<input type="multiselect" token="itemId_tok">
<label>itemId</label>
<choice value="*">All</choice>
<default>*</default>
<delimiter>,</delimiter>
<fieldForLabel>itemId</fieldForLabel>
<fieldForValue>itemId</fieldForValue>
<search base="base_dropdown">
<query>|stats count by itemId|sort 0 + itemId</query>
</search>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Count </title>
<search base="base_panel">
<query>| stats count</query>
<!--- <earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>-->
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>

 

Following is without base search for multiselect drop down which works as expected-

<form version="1.1" theme="light">
<label>testing</label>
<!--<search id="base_dropdown">
<query>index=main sourcetype=access_combined_wcookie status IN ($status_tok$) file IN ($file_tok$) itemId IN ($itemId_tok$)</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>-->
<search id="base_panel">
<query>index=main sourcetype=access_combined_wcookie status IN ($status_tok$) file IN ($file_tok$) itemId IN ($itemId_tok$)</query>
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
</search>
<fieldset submitButton="true" autoRun="true">
<input type="time" token="time_tok">
<label>Time</label>
<default>
<earliest>-7d@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="status_tok">
<label>status</label>
<choice value="*">All</choice>
<default>*</default>
<delimiter>,</delimiter>
<fieldForLabel>status</fieldForLabel>
<fieldForValue>status</fieldForValue>
<search>
<query>index=main sourcetype=access_combined_wcookie earliest="$time_tok.earliest$" latest="$time_tok.latest$" |stats count by status|sort 0 + status</query>
</search>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
<input type="multiselect" token="file_tok">
<label>file</label>
<choice value="*">All</choice>
<default>*</default>
<delimiter>,</delimiter>
<fieldForLabel>file</fieldForLabel>
<fieldForValue>file</fieldForValue>
<search>
<query>index=main sourcetype=access_combined_wcookie earliest=$time_tok.earliest$ latest="$time_tok.latest$"|stats count by file|sort 0 + file</query>
</search>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
<input type="multiselect" token="itemId_tok">
<label>itemId</label>
<choice value="*">All</choice>
<default>*</default>
<delimiter>,</delimiter>
<fieldForLabel>itemId</fieldForLabel>
<fieldForValue>itemId</fieldForValue>
<search>
<query>index=main sourcetype=access_combined_wcookie earliest=$time_tok.earliest$ latest="$time_tok.latest$"|stats count by itemId|sort 0 + itemId</query>
</search>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Count</title>
<search base="base_panel">
<query>| stats count</query>
<!--- <earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>-->
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>

Dashboard 

Labels (2)
Labels
0 Karma
Reply

dural_yyz24
Explorer
‎08-29-2024 08:26 AM

Once the base search runs with the filtered status the results are all that is left over.  You need to isolate your inputs source from your results query.  In this case 2 or more base searches are needed.

Things I have done/learned while doing this.

- tstats search commands are much faster especially pulling single fields, use this if you can

- inputs have limits on displaying unique values, enable search and wildcard options for long lists, never over 1,000 unique values if I recall correctly

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...