Dashboards & Visualizations

Using all values from a drop down list in a search query when the field is filtered based on another field

pavanml
Explorer

I have a dashboard with 4 drop down where user can select a specific value from a dropdown. Also when one drop down is selected, the other dropdowns refresh so it only displays the list based on other field for user to further select.
As shown in below diagram, when each field has 'All', the number of values in field4 are high; however when user selects a specific value in field3, eg: pavanml, there are only 2 values displayed in field4.
In field4 the value is 'All' but effectively there are only 2 values for user to select.

Now in the search query of the panel, the index has only field4. And when we apply a filter of nums=$fieldSelection$ the value used is *, and hence does not serve any purpose and it takes lot of time. How should I modify in order to effectively have nums IN ("4812","7746") even though field4 has 'All' selected, but list of values are only these 2 based on selection of field3 by user. Also field4 is actually of string type even though value is a number.

alt text

0 Karma

niketn
Legend

@pavanml the use case for All and All filtered values are different. Seems like you are after the second use case. Please try the following run anywhere example and confirm

 

<form>
  <label>Pass all filtered values</label>
  <fieldset submitButton="false">
    <input type="time" token="time" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="log_level" searchWhenChanged="true">
      <label>Log Level</label>
      <choice value="*">All</choice>
      <fieldForLabel>log_level</fieldForLabel>
      <fieldForValue>log_level</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd
| stats count by log_level
| sort log_level
| fields log_level</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <default>*</default>
    </input>
    <input type="dropdown" token="component" searchWhenChanged="true">
      <label>Component</label>
      <choice value="all">All</choice>
      <fieldForLabel>component</fieldForLabel>
      <fieldForValue>component</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd log_level="$log_level$"
| stats count by component
| sort component
| fields component
| eventstats values(component) as components
| eval components="\"".mvjoin(components,"\",\"")."\""</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
        <done>
          <condition match="$job.resultCount$==0">
            <unset token="tokComponentFilter"></unset>
          </condition>
          <condition>
            <set token="tokComponents">$result.components$</set>
          </condition>
        </done>
      </search>
      <change>
        <condition value="all">
          <set token="tokComponentFilter">$tokComponents$</set>
        </condition>
        <condition>
          <set token="tokComponentFilter">$value$</set>
        </condition>
      </change>
      <default>all</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>tokComponentFilter: $tokComponentFilter$
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd component IN ($tokComponentFilter$)
          | chart count by component log_level</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Screen Shot 2020-07-12 at 12.44.32 PM.png

 

Screen Shot 2020-07-12 at 12.44.46 PM.png

 

 

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Taruchit
Contributor

It worked well for me.

0 Karma
Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...