Dashboards & Visualizations

Using all values from a drop down list in a search query when the field is filtered based on another field

pavanml
Explorer

I have a dashboard with 4 drop down where user can select a specific value from a dropdown. Also when one drop down is selected, the other dropdowns refresh so it only displays the list based on other field for user to further select.
As shown in below diagram, when each field has 'All', the number of values in field4 are high; however when user selects a specific value in field3, eg: pavanml, there are only 2 values displayed in field4.
In field4 the value is 'All' but effectively there are only 2 values for user to select.

Now in the search query of the panel, the index has only field4. And when we apply a filter of nums=$fieldSelection$ the value used is *, and hence does not serve any purpose and it takes lot of time. How should I modify in order to effectively have nums IN ("4812","7746") even though field4 has 'All' selected, but list of values are only these 2 based on selection of field3 by user. Also field4 is actually of string type even though value is a number.

alt text

0 Karma

niketn
Legend

@pavanml the use case for All and All filtered values are different. Seems like you are after the second use case. Please try the following run anywhere example and confirm

 

<form>
  <label>Pass all filtered values</label>
  <fieldset submitButton="false">
    <input type="time" token="time" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="log_level" searchWhenChanged="true">
      <label>Log Level</label>
      <choice value="*">All</choice>
      <fieldForLabel>log_level</fieldForLabel>
      <fieldForValue>log_level</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd
| stats count by log_level
| sort log_level
| fields log_level</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <default>*</default>
    </input>
    <input type="dropdown" token="component" searchWhenChanged="true">
      <label>Component</label>
      <choice value="all">All</choice>
      <fieldForLabel>component</fieldForLabel>
      <fieldForValue>component</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd log_level="$log_level$"
| stats count by component
| sort component
| fields component
| eventstats values(component) as components
| eval components="\"".mvjoin(components,"\",\"")."\""</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
        <done>
          <condition match="$job.resultCount$==0">
            <unset token="tokComponentFilter"></unset>
          </condition>
          <condition>
            <set token="tokComponents">$result.components$</set>
          </condition>
        </done>
      </search>
      <change>
        <condition value="all">
          <set token="tokComponentFilter">$tokComponents$</set>
        </condition>
        <condition>
          <set token="tokComponentFilter">$value$</set>
        </condition>
      </change>
      <default>all</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>tokComponentFilter: $tokComponentFilter$
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd component IN ($tokComponentFilter$)
          | chart count by component log_level</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Screen Shot 2020-07-12 at 12.44.32 PM.png

 

Screen Shot 2020-07-12 at 12.44.46 PM.png

 

 

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Taruchit
Contributor

It worked well for me.

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...