Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Dropdown values from lookup

splunkn
Communicator
‎10-08-2014 06:38 AM

Im having a lookup table which consist of applicationid,applicationname,hosts. For single application I have many hosts.
So I tried with the below
appid,appname,host
APP123,ABCDE,host1;host2;host3
APP234,CDDSD,host4;host5;host6

I want to have two dropdowns in my form. One for application another one for host.
I want to populate the hosts one by one in dropdown corresponding to application. I tried with the delimiter ";".
However no luck. Is there any possible solution or should I go with one by one for each host in lookup 😞

    <label>ABC</label>
    <fieldset autoRun="false">
            <input type="time">
                    <label>Select Time</label>
                    <default>Last 15 minutes</default>
            </input>

            <input type="dropdown" token="appid">
                    <label>Select appid</label>
                    <populatingSearch fieldForValue="appid" fieldForLabel="applabel">
                            <![CDATA[ | inputlookup abc.csv |dedup appid,appname | sort appid,appname | eval applabel=appid + "-" + appname ]]>
                    </populatingSearch>
                    <default>*</default>
  <choice value="*">All</choice>
            </input>

            <input type="dropdown" token="host">
                    <label>Select host</label>
                    <populatingSearch fieldForValue="host" fieldForLabel="host">
                            <![CDATA[ | inputlookup abc.csv  | search appid=$appid$ | makemv delim=";" host | fields host ]]>
                    </populatingSearch>
                    <default>*</default>
  <choice value="*">All</choice>
            </input>
    </fieldset>
Tags (2)
0 Karma
Reply

vasanthmss
Motivator
‎12-12-2014 08:53 AM

Try this,

Populate Appid search,

| inputlookup abc.csv |dedup appid,appname | sort appid,appname | eval applabel=appid + "-" + appname

Populate Host based on Appid search, [ Assuming you have ";" as your delimiter in host field ]

| inputlookup abc.csv  | eval host=split(host,";") | mvexpand host | search appid=$appid$ | stats count by host  | fields host

Hope this will help you,

Cheers!

V
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...