Splunk Search

Dashboard inherited inputs

joock3r
Explorer

Hey all,

I'm building new dashboard that contains 2 multiselect values:

Site: USA, Romania, Turkey.... (only countries)

Campus: USA1,USA2,Romania1,Romania2.... (contains the country's name and number).

I want that when I select country/countires in Site multiselect value I will see only options to select the relevant campuses in Campus multiselect value.

How can I create inherited rule that the Campus will inherit from Site value?

Thanks.

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
<form version="1.1" theme="light">
  <label>Multi-select filtered</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="alloptions" searchWhenChanged="true">
      <label>Select site</label>
      <choice value="All">All</choice>
      <search>
        <query>
| makeresults format=csv data="Country
USA
Romania
Turkey"
| table Country
        </query>
      </search>
      <fieldForLabel>Country</fieldForLabel>
      <fieldForValue>Country</fieldForValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
      <change>
        <eval token="form.alloptions">case(mvcount('form.alloptions')=0,"All",mvcount('form.alloptions')&gt;1 AND mvfind('form.alloptions',"All")&gt;0,"All",mvcount('form.alloptions')&gt;1 AND mvfind('form.alloptions',"All")=0,mvfilter('form.alloptions'!="All"),1==1,'form.alloptions')</eval>
        <eval token="countrychoice">if($form.alloptions$=="All","","| where Country IN (".$alloptions$.")")</eval>
      </change>
    </input>
    <input type="multiselect" token="campus" searchWhenChanged="true">
      <label>Select Campus</label>
      <search>
        <query>
| makeresults format=csv data="Country,Campus
USA,USA1
USA,USA2
Romania,Romania1
Romania,Romania2
Romania,Romania3
Turkey,Turkey1
Turkey,Turkey2
Turkey,Turkey3
Turkey,Turkey4"
$countrychoice$
| table Campus
        </query>
      </search>
      <fieldForLabel>Campus</fieldForLabel>
      <fieldForValue>Campus</fieldForValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
    </input>
  </fieldset>
</form>

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @joock3r ,

id depends on the data source:

if you have a lookup containing two columns (country and campus), you can fiter the second dopdown using the choice in the first, somthing like this:

| inputookup your_lookup.csv WHERE country=$token1$
| fields campus

if instead you have only one list (USA 1, USA 2, Romania 1, Romania 2, Turkey 1, Turkey2), you should extract the country from the list using a regex, e.g. something like this (having only one column called campus, containing always the country and a number):

first dropdown

| inputookup your_lookup.csv
| rex field=campus "^(?<country>[^0-9]+)\d+"
| fields country

second dropdown:

| inputookup your_lookup.csv
| rex field=campus "^(?<country>[^0-9]+)\d+"
| search country="$token1$"
| fields campus

Ciao.

Giuseppe

 

ITWhisperer
SplunkTrust
SplunkTrust

For the campus dropdown, use a search which filters the campuses based on the token value from the countries dropdown

0 Karma

joock3r
Explorer

I thought about that but didn't succeed to edit the dynamic options for the Campus value.
I tried 

 | search $site.token$=$campus.token$*

When $site.token$ is for Site value and $campus.token$* is for Campus value.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
<form version="1.1" theme="light">
  <label>Multi-select filtered</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="alloptions" searchWhenChanged="true">
      <label>Select site</label>
      <choice value="All">All</choice>
      <search>
        <query>
| makeresults format=csv data="Country
USA
Romania
Turkey"
| table Country
        </query>
      </search>
      <fieldForLabel>Country</fieldForLabel>
      <fieldForValue>Country</fieldForValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
      <change>
        <eval token="form.alloptions">case(mvcount('form.alloptions')=0,"All",mvcount('form.alloptions')&gt;1 AND mvfind('form.alloptions',"All")&gt;0,"All",mvcount('form.alloptions')&gt;1 AND mvfind('form.alloptions',"All")=0,mvfilter('form.alloptions'!="All"),1==1,'form.alloptions')</eval>
        <eval token="countrychoice">if($form.alloptions$=="All","","| where Country IN (".$alloptions$.")")</eval>
      </change>
    </input>
    <input type="multiselect" token="campus" searchWhenChanged="true">
      <label>Select Campus</label>
      <search>
        <query>
| makeresults format=csv data="Country,Campus
USA,USA1
USA,USA2
Romania,Romania1
Romania,Romania2
Romania,Romania3
Turkey,Turkey1
Turkey,Turkey2
Turkey,Turkey3
Turkey,Turkey4"
$countrychoice$
| table Campus
        </query>
      </search>
      <fieldForLabel>Campus</fieldForLabel>
      <fieldForValue>Campus</fieldForValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
    </input>
  </fieldset>
</form>
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques

Hello! We are excited to kick off a new series of blogs from SplunkTrust member ITWhisperer, who demonstrates ...

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...