Dashboards & Visualizations

pre populate multiselect from csv lookup and allow to select remaining from index query

Contributor

I have one csv lokup which looks like-
Group numbers
A 1
A 2
A 3
A 4
B 5
B 6
B 7
B 8
From above I am populating dropdown to show distinct Group ..In this case dropdown will show "A" and "B".And next to that I am using multiselect input -which will run from index query to populate numbers multiselect. and as per selection of group it should pre-populate numbers from csv lookup .
For example If I select Group from dropdown as "A" then multiselect should populate numbers "1","2","3","4" and allow user to select any other numbers from spl query- index="abc" |stats count by numbers
will it be possible in splunk.Please help.
Thanks,

0 Karma

Esteemed Legend

Use 2 inputs: a dropdown for Group and a multiselect that uses the token from that to populate Number(s).

0 Karma

SplunkTrust
SplunkTrust

HI @ips_mandar,
you have to create two dropdown inputs using the first token in the second input's search, in other words, something like this (if numbers is a field both in lookup and index and Group is only a field in lookup):

<form>
  <label>test</label>
  <description>your description</description>
  <fieldset submitButton="false">
    <input type="dropdown" token="group">
      <label>Group</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>Group</fieldForLabel>
      <fieldForValue>Group</fieldForValue>
      <search>
        <query>| inputlookup my_lookup.csv | dedup Group | sort Group | table Group</query>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </search>
      <prefix>Group="</prefix>
      <suffix>"</suffix>
    </input>
    <input type="dropdown" token="numbers">
      <label>numbers</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>numbers</fieldForLabel>
      <fieldForValue>numbers</fieldForValue>
      <search>
        <query>index=yout_index | lookup my_lookup.csv numbers OUTPUT Group | search $group$ | dedup numbers | sort numbers | table numbers</query>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </search>
      <prefix>numbers="</prefix>
      <suffix>"</suffix>
    </input>
    <input type="time" token="Time">
      <label>Time</label>
      <default>
        <earliest>-1d@d</earliest>
        <latest>@d</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>your title</title>
      <event>
        <search>
          <query>index=your_index $numbers$</query>
          <earliest>$Time.earliest$</earliest>
          <latest>$Time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="list.drilldown">none</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</form>

Ciao.
Giuseppe

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!