Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Splunk Pivot with dropdown menu and timepicker
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Pivot with dropdown menu and timepicker
Hi Experts,
My data source consists of a CSV file containing columns such as TIMESTAMP, APPLICATION, MENU_DES, REPORTING_DEPT, USER_TYPE, and USR_ID. I have developed a Dashboard that includes a time picker and a pivot table utilizing this data source.
Currently, the user wishes to filter the pivot table by APPLICATION. I have implemented a dropdown menu for APPLICATION and established a search query accordingly. However, the dropdown only displays "All," and the search query dont seeem to be returning values to the dropdown list.
Additionally, I need to incorporate a filter condition for APPLICATION in the pivot table based on the selection made from the dropdown menu. Could you please assist me with this?
Below is my dashboard code.
<form hideChrome="true" version="1.1">
<label>Screen log view</label>
<fieldset submitButton="false" autoRun="false">>
<input type="time" token="field1">
<label></label>
<default>
<earliest>-30d@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="SelectedApp" searchWhenChanged="true">
<label>Application Name</label>
<search>
<query>
index="idxmainframe" source="*_screen_log.CSV"
| table APPLICATION
| dedup APPLICATION
| sort APPLICATION
</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<fieldForLabel>apps</fieldForLabel>
<fieldForValue>apps</fieldForValue>
<choice value="*">All</choice>
<default>All</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| pivot screen ds dc(USR_ID) AS "Distinct Count of USR_ID"
SPLITROW APPLICATION AS APPLICATION
SPLITROW MENU_DES AS MENU_DES
SPLITROW REPORTING_DEPT AS REPORTING_DEPT
SPLITCOL USER_TYPE BOTTOM 0 dc(USR_ID)
ROWSUMMARY 0
COLSUMMARY 0
NUMCOLS 100
SHOWOTHER 1 | sort 0 APPLICATION MENU_DES REPORTING_DEPT
</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In your dropdown, you seem to have the fieldForLabel and fieldForValue both set to "apps", but in your dynamic query you have used the table command to filter the fields down to only the "APPLICATION" field. Therefore no results will appear except for the default "All". I recommend changing fieldForLabel and fieldForValue to "APPLICATION".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi marnall,
I have changed fieldForLabel and fieldForValue to "APPLICATION". Still the dropdown menu is returning only "All". Could you please help ?..Below is the latest code.
<form hideChrome="true" version="1.1">
<label>SCODE_VIEW</label>
<fieldset submitButton="false" autoRun="false">>
<input type="time" token="field1" searchWhenChanged="true" >
<label></label>
<default>
<earliest>-30d@d</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="SelectedApp" searchWhenChanged="true">
<label>Application Name</label>
<Search>
<query>
index="idxmainframe" source="*_SCODE_DATA.CSV"
earliest=$field1.earliest$ latest=$field1.latest$
| table APPLICATION
| dedup APPLICATION
| stats count by APPLICATION
</query>
</Search>
<fieldForLabel>APPLICATION</fieldForLabel>
<fieldForValue>APPLICATION</fieldForValue>
<choice value="*">All</choice>
<default>All</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| pivot Scode ds dc(USR_ID) AS "Distinct Count of USR_ID"
SPLITROW APPLICATION AS APPLICATION
SPLITROW MENU_DES AS MENU_DES
SPLITROW REPORTING_DEPT AS REPORTING_DEPT
SPLITCOL USER_TYPE BOTTOM 0 dc(USR_ID)
ROWSUMMARY 0
COLSUMMARY 0
NUMCOLS 100
SHOWOTHER 1 | sort 0 APPLICATION MENU_DES REPORTING_DEPT
</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like there was some invisible junk character(s) in the code. I got it working...Thanks for your help.
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
Fun with Regular Expression - multiples of nine
