Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What query should I execute in the 2nd dropdown to not have value displayed in the 1st dropdown?

gpayal18
Explorer
‎09-03-2018 04:09 AM

Input to splunk is a csv file which has column headers like 'Falcon 15.01.01.03.100', 'Falcon GA 15.01.02.06.1'.. (there are values present under each of these columns in rows). on dashboard, there are 2 dropdowns.
Both the dropdowns should have values of these column header i.e. which has Falcon word in it. Only thing I want is, Value which is selected in 1st dropdown , should not be displayed in 2nd. Means if search returns 3 results, 1st dropdown should have 3 values in it and after selecting the one value from 1st dropdown.. second should have only 2 values in it.

in 1st dropdown, M executing this query: input.csv|fieldsummary Falcon | dedup field | table field >> returning me 3 results

What query should I execute in 2nd dropdown for above mentioned scenario?

Thanks in advance!!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎09-03-2018 08:17 PM

@gpayal18 would you be able to share the code for your 2 drop downs? Based on the selected value in dropdown 1, you can add a search filter in the second dropdown. There is an example in Splunk Dashboard Examples App to create Cascaded Drilldowns which you can refer.

Following run anywhere example creates two inputs with same three dropdown values field1 and field2. Value of field1 is used in field2 | search values!="$field1$". Additionally, field2 dropdown is hidden until field1 value is selected using depends attribute i.e. depends="$field1$"

    <input type="dropdown" token="field1" searchWhenChanged="true">
      <label>field1</label>
      <fieldForLabel>fields</fieldForLabel>
      <fieldForValue>values</fieldForValue>
      <search>
        <query>| makeresults
| fields - _*
| eval field1="value1", field2="value2", field3="value3"
| transpose column_name=fields
| rename "row 1" as values</query>
      </search>
    </input>
    <input type="dropdown" token="field2" searchWhenChanged="true" depends="$field1$">
      <label>field2</label>
      <fieldForLabel>fields</fieldForLabel>
      <fieldForValue>values</fieldForValue>
      <search>
        <query>| makeresults
| fields - _*
| eval field1="value1", field2="value2", field3="value3"
| transpose column_name=fields
| rename "row 1" as values
| search values!="$field1$"</query>
      </search>
    </input>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gpayal18
Explorer
‎09-04-2018 12:02 AM

Thanks a lot!! Adding this parameter 'search values!="$field1$"' worked.

Reply
Solved! Jump to solution

niketn
Legend
‎09-04-2018 01:54 AM

@gpayal18 glad it worked. While posting code/data on Splunk Answers make sure you use Code button (101010) or Shortcut Ctrl+K after highlighting the code text. So that special characters do not escape!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎09-03-2018 08:17 PM

@gpayal18 would you be able to share the code for your 2 drop downs? Based on the selected value in dropdown 1, you can add a search filter in the second dropdown. There is an example in Splunk Dashboard Examples App to create Cascaded Drilldowns which you can refer.

Following run anywhere example creates two inputs with same three dropdown values field1 and field2. Value of field1 is used in field2 | search values!="$field1$". Additionally, field2 dropdown is hidden until field1 value is selected using depends attribute i.e. depends="$field1$"

    <input type="dropdown" token="field1" searchWhenChanged="true">
      <label>field1</label>
      <fieldForLabel>fields</fieldForLabel>
      <fieldForValue>values</fieldForValue>
      <search>
        <query>| makeresults
| fields - _*
| eval field1="value1", field2="value2", field3="value3"
| transpose column_name=fields
| rename "row 1" as values</query>
      </search>
    </input>
    <input type="dropdown" token="field2" searchWhenChanged="true" depends="$field1$">
      <label>field2</label>
      <fieldForLabel>fields</fieldForLabel>
      <fieldForValue>values</fieldForValue>
      <search>
        <query>| makeresults
| fields - _*
| eval field1="value1", field2="value2", field3="value3"
| transpose column_name=fields
| rename "row 1" as values
| search values!="$field1$"</query>
      </search>
    </input>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

gpayal18
Explorer
‎09-03-2018 11:18 PM

Code for 2 dropdowns:


Falcon 15_01_01_03_100 _2017_05_23 12_00_00
Falcon 15_01_01_03_100 _2017_05_23 12_00_00
field
field

source="C:\1-VMS\Non-Production\Tools\Main\IntOps\Main\SambaManager\bin\Debug\Log\SPII_Falcon-Azure-FalconGA-csv.csv"| fieldsummary Falcon | dedup field | table field




server
server



0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...