Solved: Dashboard inherited inputs

joock3r · ‎05-26-2024

Hey all,

I'm building new dashboard that contains 2 multiselect values:

Site: USA, Romania, Turkey.... (only countries)

Campus: USA1,USA2,Romania1,Romania2.... (contains the country's name and number).

I want that when I select country/countires in Site multiselect value I will see only options to select the relevant campuses in Campus multiselect value.

How can I create inherited rule that the Campus will inherit from Site value?

Thanks.

ITWhisperer · ‎05-26-2024

<form version="1.1" theme="light">
  <label>Multi-select filtered</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="alloptions" searchWhenChanged="true">
      <label>Select site</label>
      <choice value="All">All</choice>
      <search>
        <query>
| makeresults format=csv data="Country
USA
Romania
Turkey"
| table Country
        </query>
      </search>
      <fieldForLabel>Country</fieldForLabel>
      <fieldForValue>Country</fieldForValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
      <change>
        <eval token="form.alloptions">case(mvcount('form.alloptions')=0,"All",mvcount('form.alloptions')&gt;1 AND mvfind('form.alloptions',"All")&gt;0,"All",mvcount('form.alloptions')&gt;1 AND mvfind('form.alloptions',"All")=0,mvfilter('form.alloptions'!="All"),1==1,'form.alloptions')</eval>
        <eval token="countrychoice">if($form.alloptions$=="All","","| where Country IN (".$alloptions$.")")</eval>
      </change>
    </input>
    <input type="multiselect" token="campus" searchWhenChanged="true">
      <label>Select Campus</label>
      <search>
        <query>
| makeresults format=csv data="Country,Campus
USA,USA1
USA,USA2
Romania,Romania1
Romania,Romania2
Romania,Romania3
Turkey,Turkey1
Turkey,Turkey2
Turkey,Turkey3
Turkey,Turkey4"
$countrychoice$
| table Campus
        </query>
      </search>
      <fieldForLabel>Campus</fieldForLabel>
      <fieldForValue>Campus</fieldForValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
    </input>
  </fieldset>
</form>

View solution in original post

gcusello · ‎05-26-2024

Hi @joock3r ,

id depends on the data source:

if you have a lookup containing two columns (country and campus), you can fiter the second dopdown using the choice in the first, somthing like this:

| inputookup your_lookup.csv WHERE country=$token1$
| fields campus

if instead you have only one list (USA 1, USA 2, Romania 1, Romania 2, Turkey 1, Turkey2), you should extract the country from the list using a regex, e.g. something like this (having only one column called campus, containing always the country and a number):

first dropdown

| inputookup your_lookup.csv
| rex field=campus "^(?<country>[^0-9]+)\d+"
| fields country

second dropdown:

| inputookup your_lookup.csv
| rex field=campus "^(?<country>[^0-9]+)\d+"
| search country="$token1$"
| fields campus

Ciao.

Giuseppe

ITWhisperer · ‎05-26-2024

For the campus dropdown, use a search which filters the campuses based on the token value from the countries dropdown

joock3r · ‎05-26-2024

I thought about that but didn't succeed to edit the dynamic options for the Campus value.
I tried

 | search $site.token$=$campus.token$*

When $site.token$ is for Site value and $campus.token$* is for Campus value.

ITWhisperer · ‎05-26-2024

<form version="1.1" theme="light">
  <label>Multi-select filtered</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="alloptions" searchWhenChanged="true">
      <label>Select site</label>
      <choice value="All">All</choice>
      <search>
        <query>
| makeresults format=csv data="Country
USA
Romania
Turkey"
| table Country
        </query>
      </search>
      <fieldForLabel>Country</fieldForLabel>
      <fieldForValue>Country</fieldForValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
      <change>
        <eval token="form.alloptions">case(mvcount('form.alloptions')=0,"All",mvcount('form.alloptions')&gt;1 AND mvfind('form.alloptions',"All")&gt;0,"All",mvcount('form.alloptions')&gt;1 AND mvfind('form.alloptions',"All")=0,mvfilter('form.alloptions'!="All"),1==1,'form.alloptions')</eval>
        <eval token="countrychoice">if($form.alloptions$=="All","","| where Country IN (".$alloptions$.")")</eval>
      </change>
    </input>
    <input type="multiselect" token="campus" searchWhenChanged="true">
      <label>Select Campus</label>
      <search>
        <query>
| makeresults format=csv data="Country,Campus
USA,USA1
USA,USA2
Romania,Romania1
Romania,Romania2
Romania,Romania3
Turkey,Turkey1
Turkey,Turkey2
Turkey,Turkey3
Turkey,Turkey4"
$countrychoice$
| table Campus
        </query>
      </search>
      <fieldForLabel>Campus</fieldForLabel>
      <fieldForValue>Campus</fieldForValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
    </input>
  </fieldset>
</form>

Dashboard inherited inputs

subsearch

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Dashboard inherited inputs

subsearch

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!