Solved: how to create dependent dropdown?

karthi2809 · ‎04-19-2024

Hi All,

I am using depedent dropdown in my splunk dashboard .But the second dropdown not working.Could you pls what is the exact error .And screen shot is attached.And my inputlookup with below values.

<input type="dropdown" token="BankApp" searchWhenChanged="true" depends="$BankDropDown$"> 
  <label>ApplicationName</label> 
  <choice value="*">All</choice>
    <search>
      <query> | inputlookup BankIntegration.csv | dedup APPLICATION_NAME | sort APPLICATION_NAME | table APPLICATION_NAME 
      </query> 
    </search> 
  <fieldForLabel>ApplicationName</fieldForLabel>   
  <fieldForValue>APPLICATION_NAME</fieldForValue> 
  <default>*</default> 
  <prefix>applicationName="</prefix> 
  <suffix>"</suffix> 
</input> 
<input type="dropdown" token="interface" searchWhenChanged="true" depends="$BankDropDown$"> 
  <label>InterfaceName</label> 
  <choice value="*">All</choice> 
  <search> 
    <query> | inputlookup BankIntegration.csv | search $BankApp$ | sort INTERFACE_NAME | table INTERFACE_NAME 
    </query>
  </search> 
  <fieldForLabel>InterfaceName</fieldForLabel> 
  <fieldForValue>INTERFACE_NAME</fieldForValue> 
  <default>*</default> 
  <prefix>InterfaceName="</prefix> 
  <suffix>"</suffix> 
</input>

INTERFACE_NAME APPLICATION_NAME

APPLICATION_NAME INTERFACE_NAME

p-oracle-fin-processor-2

HSBC_NA_AP_ACH

p-oracle-fin-processor

USBANK_AP_ACH

p-oracle-fin-processor-2

AMEX_AP_GL1025_PCARD_CCTRANS

p-oracle-api

APEX_VENDORPORTAL_HR_APO_EMPLOYEE_OUT

p-oracle-fin-processor-2

AVALARA_TAX_VAT_REPORTING

p-oracle-fin-processor-2

BOA_KING_KYRIBA_CE_BANKSTMTS_BFA_GLOBAL

p-oracle-fin-processor-2

HSBC_APAC_CE_BANKSTMTS

p-oracle-fin-processor-2

HSBC_NA_CE_BANKSTMTS

gcusello · ‎04-19-2024

Hi @karthi2809,

there's a strange thing in your inputs:

in the search you have the field APPLICATION_NAME, but in the fieldForLabel you have a different field ApplicationName and in prefix another one applicationName.

same thing in the second input.

What's the field name?

you must use the same in all the above tags.

You can have different values between FieldForLabel and FieldForvalue if you have two fields in the search, but you have only one.

So what's the correct one?

Supponing that the correct one is the one in uppercase, please try this:

<input type="dropdown" token="BankApp" searchWhenChanged="true" depends="$BankDropDown$"> 
   <label>ApplicationName</label> 
   <choice value="*">All</choice> 
   <search> 
      <query> 
         | inputlookup BankIntegration.csv 
         | dedup APPLICATION_NAME 
         | sort APPLICATION_NAME 
         | table APPLICATION_NAME 
      </query> 
   </search> 
   <fieldForLabel>APPLICATION_NAME</fieldForLabel> 
   <fieldForValue>APPLICATION_NAME</fieldForValue> 
   <default>*</default> 
   <prefix>APPLICATION_NAME="</prefix> 
   <suffix>"</suffix> 
</input> 
<input type="dropdown" token="interface" searchWhenChanged="true" depends="$BankDropDown$"> 
   <label>InterfaceName</label> 
   <choice value="*">All</choice> 
   <search> 
      <query> 
         | inputlookup BankIntegration.csv 
         | search $BankApp$ 
         | sort INTERFACE_NAME 
         | table INTERFACE_NAME 
      </query> 
   </search> 
   <fieldForLabel>INTERFACE_NAME</fieldForLabel> 
   <fieldForValue>INTERFACE_NAME</fieldForValue> 
   <default>*</default> 
   <prefix>INTERFACE_NAME="</prefix> 
   <suffix>"</suffix> 
</input>

Then, does your inputs run withouth the depends condition?

Ciao.

Giuseppe

View solution in original post

gcusello · ‎04-19-2024

Hi @karthi2809,

there's a strange thing in your inputs:

in the search you have the field APPLICATION_NAME, but in the fieldForLabel you have a different field ApplicationName and in prefix another one applicationName.

same thing in the second input.

What's the field name?

you must use the same in all the above tags.

You can have different values between FieldForLabel and FieldForvalue if you have two fields in the search, but you have only one.

So what's the correct one?

Supponing that the correct one is the one in uppercase, please try this:

<input type="dropdown" token="BankApp" searchWhenChanged="true" depends="$BankDropDown$"> 
   <label>ApplicationName</label> 
   <choice value="*">All</choice> 
   <search> 
      <query> 
         | inputlookup BankIntegration.csv 
         | dedup APPLICATION_NAME 
         | sort APPLICATION_NAME 
         | table APPLICATION_NAME 
      </query> 
   </search> 
   <fieldForLabel>APPLICATION_NAME</fieldForLabel> 
   <fieldForValue>APPLICATION_NAME</fieldForValue> 
   <default>*</default> 
   <prefix>APPLICATION_NAME="</prefix> 
   <suffix>"</suffix> 
</input> 
<input type="dropdown" token="interface" searchWhenChanged="true" depends="$BankDropDown$"> 
   <label>InterfaceName</label> 
   <choice value="*">All</choice> 
   <search> 
      <query> 
         | inputlookup BankIntegration.csv 
         | search $BankApp$ 
         | sort INTERFACE_NAME 
         | table INTERFACE_NAME 
      </query> 
   </search> 
   <fieldForLabel>INTERFACE_NAME</fieldForLabel> 
   <fieldForValue>INTERFACE_NAME</fieldForValue> 
   <default>*</default> 
   <prefix>INTERFACE_NAME="</prefix> 
   <suffix>"</suffix> 
</input>

Then, does your inputs run withouth the depends condition?

Ciao.

Giuseppe

karthi2809 · ‎04-19-2024

@gcusello Its working now.One more details that i want to know.If select applicationName and InterfaceName for particular value the value is comming and if i use all with * its not showing any data .How can we add all (*).Instead of * .How to add all the data in the applicationName and interfaceName .

for example
| search applicationName IN (p-oracle-fin-processor,p-oracle-fin-processor-2 , p-wd-finance-api) like this .
I will paste my query.

index=mulesoft environment=*   | search applicationName IN (p-oracle-fin-processor,p-oracle-fin-processor-2 , p-wd-finance-api)   OR  (priority="ERROR" OR priority="WARN")  | stats  values(*) as * by correlationId | rename  content.InterfaceName as InterfaceName content.FileList{} as FileList content.Filename as FileName 
      content.ErrorMsg as ErrorMsg   | eval  Status=case(priority="ERROR","ERROR",priority="WARN","WARN",priority!="ERROR","SUCCESS") | fields  Status InterfaceName applicationName FileList FileName correlationId ErrorMsg message | where  InterfaceName="APEX_VENDOR_PORTAL_AP_SUPPLIERS_OUT"  AND  isnotnull(FileList) | sort -timestamp | sort -timestamp

gcusello · ‎04-19-2024

Hi @karthi2809,

this is a new question, even if on the same topic, it's always better to open a new question to have a quicker and probably better answer.

Anyway, at first don't use the search command after the main search because your search will be slower

Then, I see again a different field name than the one in the input, which is the correct one?

could you share yur search with the tokens?

Ciao.

Giuseppe

karthi2809 · ‎04-19-2024

</input><input type="dropdown" token="BankApp" searchWhenChanged="true" depends="$BankDropDown$"> 
   <label>ApplicationName</label> 
   <choice value="*">All</choice> 
   <search> 
      <query> 
         | inputlookup BankIntegration.csv 
         | dedup applicationName 
         | sort applicationName 
         | table applicationName 
      </query> 
   </search> 
   <fieldForLabel>applicationName</fieldForLabel> 
   <fieldForValue>applicationName</fieldForValue> 
   <default>*</default> 
   <prefix>applicationName="</prefix> 
   <suffix>"</suffix> 
</input> 
<input type="dropdown" token="interface" searchWhenChanged="true" depends="$BankDropDown$"> 
   <label>InterfaceName</label> 
   <choice value="*">All</choice> 
   <search> 
      <query> 
         | inputlookup BankIntegration.csv 
         | search $BankApp$ 
         | sort InterfaceName 
         | table InterfaceName 
      </query> 
   </search> 
   <fieldForLabel>InterfaceName</fieldForLabel> 
   <fieldForValue>InterfaceName</fieldForValue> 
   <default>*</default> 
   <prefix>InterfaceName="</prefix> 
   <suffix>"</suffix> 
</input>

Query :

index=mulesoft environment=PRD   $BankApp$   OR  (priority="ERROR" OR priority="WARN")  | stats  values(*) as * by correlationId | rename  content.InterfaceName as InterfaceName content.FileList{} as FileList content.Filename as FileName 
      content.ErrorMsg as ErrorMsg   | eval  Status=case(priority="ERROR","ERROR",priority="WARN","WARN",priority!="ERROR","SUCCESS") | fields  Status InterfaceName applicationName FileList FileName correlationId ErrorMsg message | where  $interface$ AND  isnotnull(FileList) | sort -timestamp

If i select all in dropdown the particular values of inputlookup file fields and data should be showen.If its * then its shows all the values.This the query which i am trying to achieve things.

gcusello · ‎04-19-2024

Hi @karthi2809 ,

let me understand: the issue is that your search runs if you choose a value but it doesn't run if you choose the "All" value ("*"), is it correct?

I don't ee big problema in your search, I'd only use search instead whene in the last condition and I'd add parenthesis in the main search:

index=mulesoft environment=PRD ($BankApp$ OR priority IN ("ERROR", "WARN"))
| stats values(*) AS * BY correlationId 
| rename 
   content.InterfaceName AS InterfaceName 
   content.FileList{} AS FileList
   content.Filename as FileName 
   content.ErrorMsg as ErrorMsg   
| eval  Status=case(priority="ERROR","ERROR", priority="WARN","WARN", priority!="ERROR","SUCCESS") 
| fields Status InterfaceName applicationName FileList FileName correlationId ErrorMsg message 
| search  $interface$ FileList=*
| sort -timestamp

Ciao.

Giuseppe

how to create dependent dropdown?

Classic dashboard

token

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...