Splunk Search

Dashboard inherited inputs

joock3r
Explorer

Hey all,

I'm building new dashboard that contains 2 multiselect values:

Site: USA, Romania, Turkey.... (only countries)

Campus: USA1,USA2,Romania1,Romania2.... (contains the country's name and number).

I want that when I select country/countires in Site multiselect value I will see only options to select the relevant campuses in Campus multiselect value.

How can I create inherited rule that the Campus will inherit from Site value?

Thanks.

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
<form version="1.1" theme="light">
  <label>Multi-select filtered</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="alloptions" searchWhenChanged="true">
      <label>Select site</label>
      <choice value="All">All</choice>
      <search>
        <query>
| makeresults format=csv data="Country
USA
Romania
Turkey"
| table Country
        </query>
      </search>
      <fieldForLabel>Country</fieldForLabel>
      <fieldForValue>Country</fieldForValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
      <change>
        <eval token="form.alloptions">case(mvcount('form.alloptions')=0,"All",mvcount('form.alloptions')&gt;1 AND mvfind('form.alloptions',"All")&gt;0,"All",mvcount('form.alloptions')&gt;1 AND mvfind('form.alloptions',"All")=0,mvfilter('form.alloptions'!="All"),1==1,'form.alloptions')</eval>
        <eval token="countrychoice">if($form.alloptions$=="All","","| where Country IN (".$alloptions$.")")</eval>
      </change>
    </input>
    <input type="multiselect" token="campus" searchWhenChanged="true">
      <label>Select Campus</label>
      <search>
        <query>
| makeresults format=csv data="Country,Campus
USA,USA1
USA,USA2
Romania,Romania1
Romania,Romania2
Romania,Romania3
Turkey,Turkey1
Turkey,Turkey2
Turkey,Turkey3
Turkey,Turkey4"
$countrychoice$
| table Campus
        </query>
      </search>
      <fieldForLabel>Campus</fieldForLabel>
      <fieldForValue>Campus</fieldForValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
    </input>
  </fieldset>
</form>

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @joock3r ,

id depends on the data source:

if you have a lookup containing two columns (country and campus), you can fiter the second dopdown using the choice in the first, somthing like this:

| inputookup your_lookup.csv WHERE country=$token1$
| fields campus

if instead you have only one list (USA 1, USA 2, Romania 1, Romania 2, Turkey 1, Turkey2), you should extract the country from the list using a regex, e.g. something like this (having only one column called campus, containing always the country and a number):

first dropdown

| inputookup your_lookup.csv
| rex field=campus "^(?<country>[^0-9]+)\d+"
| fields country

second dropdown:

| inputookup your_lookup.csv
| rex field=campus "^(?<country>[^0-9]+)\d+"
| search country="$token1$"
| fields campus

Ciao.

Giuseppe

 

ITWhisperer
SplunkTrust
SplunkTrust

For the campus dropdown, use a search which filters the campuses based on the token value from the countries dropdown

0 Karma

joock3r
Explorer

I thought about that but didn't succeed to edit the dynamic options for the Campus value.
I tried 

 | search $site.token$=$campus.token$*

When $site.token$ is for Site value and $campus.token$* is for Campus value.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
<form version="1.1" theme="light">
  <label>Multi-select filtered</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="alloptions" searchWhenChanged="true">
      <label>Select site</label>
      <choice value="All">All</choice>
      <search>
        <query>
| makeresults format=csv data="Country
USA
Romania
Turkey"
| table Country
        </query>
      </search>
      <fieldForLabel>Country</fieldForLabel>
      <fieldForValue>Country</fieldForValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
      <change>
        <eval token="form.alloptions">case(mvcount('form.alloptions')=0,"All",mvcount('form.alloptions')&gt;1 AND mvfind('form.alloptions',"All")&gt;0,"All",mvcount('form.alloptions')&gt;1 AND mvfind('form.alloptions',"All")=0,mvfilter('form.alloptions'!="All"),1==1,'form.alloptions')</eval>
        <eval token="countrychoice">if($form.alloptions$=="All","","| where Country IN (".$alloptions$.")")</eval>
      </change>
    </input>
    <input type="multiselect" token="campus" searchWhenChanged="true">
      <label>Select Campus</label>
      <search>
        <query>
| makeresults format=csv data="Country,Campus
USA,USA1
USA,USA2
Romania,Romania1
Romania,Romania2
Romania,Romania3
Turkey,Turkey1
Turkey,Turkey2
Turkey,Turkey3
Turkey,Turkey4"
$countrychoice$
| table Campus
        </query>
      </search>
      <fieldForLabel>Campus</fieldForLabel>
      <fieldForValue>Campus</fieldForValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
    </input>
  </fieldset>
</form>
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...