Splunk Search

How to create a dependent dropdown and multivalue input fields with dynamic default values on a dashboard?

JacobPN
Path Finder

Hi!

I have searched quite a bit, but could not find a suitable solution for the following problem:

I have a csv file (say car_brands.csv) with a list of objects (say cars) that belong to a certain category (say car brand). So for example:

car1, bmw
car2, opel
car3, opel
car4, nissan
...

What I would like to have on a dashboard is one dropdown input field and one multiselect input field. The dropdown should get all the categories (car brands) dynamically and have one static value (all). The multiselect input field should have all cars (car1, car2..). All of them should be selected by default. I have succeeded to make a search that dynamically populated both input fields. However I did not manage to make all the cars selected by default. Moreover, I also want that as soon as the user chooses a category (car brand) in the dropdown then all the cars belonging to that brand should appear selected in the multiselect field (obviously, upon selecting 'all' , all cars should appear in the multiselect field.

In other words: all the different cars should remain always available in the multiselect input field, but the user should be able to use the first dropdown as a way of selecting a subset of them (without having to select them one by one) in the multiselect field.

What is the best way to accomplish this?

It is not preferred, but if there is no other way, I could hard code the category names, instead of getting them from the lookup table (there are not that many).

Thanks!

0 Karma

adonio
Ultra Champion

Hello @JacobPN,
hi hope i understood your question. my csv looks like this: car_number, car_brand, made_in just to taker it one step further
here is the dashboard:
alt text

alt text

Here is the code:

<form>
  <label>Cars</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="MADE_IN" searchWhenChanged="true">
      <label>Make Country</label>
      <choice value="*">ALL</choice>
      <fieldForLabel>made_in</fieldForLabel>
      <fieldForValue>made_in</fieldForValue>
      <search>
        <query>| inputlookup cars.csv | fields made_in | dedup made_in</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="dropdown" token="MAKER" searchWhenChanged="true">
      <label>Maker</label>
      <choice value="*">ALL</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>car_brand</fieldForLabel>
      <fieldForValue>car_brand</fieldForValue>
      <search>
        <query>| inputlookup cars.csv | search made_in = $MADE_IN$ | dedup car_brand | table car_brand</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
    </input>
    <input type="multiselect" token="CAR" searchWhenChanged="false">
      <label>Car Number</label>
      <choice value="*">ALL</choice>
      <prefix>(car_number=</prefix>
      <suffix>)</suffix>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <fieldForLabel>car_number</fieldForLabel>
      <fieldForValue>car_number</fieldForValue>
      <search>
        <query>| inputlookup cars.csv | search made_in=$MADE_IN$ car_brand=$MAKER$ | dedup car_number | table car_number</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Count by made_in</title>
      <table>
        <search>
          <query>| inputlookup cars.csv | search made_in=$MADE_IN$ | stats count by made_in</query>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">50</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <title>Top Car Brand</title>
      <chart>
        <search>
          <query>| inputlookup cars.csv | search made_in =$MADE_IN$ | top car_brand</query>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
</form>

nagarajsf
Explorer

Hi @adonio

How can we pass query to drop-down list, instead getting information based on content could define some values for fixed objects like A,B, C and backend we need to target some queries.

I posted some question similar to this,

fyi :https://answers.splunk.com/answers/780873/multivalve-drilldown-and-dropdown-is-not-working-i.html

link text

0 Karma

JacobPN
Path Finder

Hi Adiono. Thanks for your elaborate answer! It is almost what I need. However, instead of having the token of the first dropdown change the search in the other two inputs, I would like to have it change the default value in of the multiselect field.
In other words: all the different cars should remain available in the multiselect input field, and the user should be able to use the first dropdown as a way of selecting a subset of them (without having to select them one by one).
-- added this clarification also to the original post --

0 Karma

adonio
Ultra Champion

I am not sure i follow that logic but i might be misunderstanding you.
so, you want cars that are not VW to appear as an option when you pick VW for example?
if this is what you want, remove the filter of tokens from the search that populates the car_number multi select.

 </input>
     <input type="multiselect" token="CAR" searchWhenChanged="false">
       <label>Car Number</label>
       <choice value="*">ALL</choice>
       <prefix>(car_number=</prefix>
       <suffix>)</suffix>
       <valuePrefix>"</valuePrefix>
       <valueSuffix>"</valueSuffix>
       <delimiter> OR </delimiter>
       <fieldForLabel>car_number</fieldForLabel>
       <fieldForValue>car_number</fieldForValue>
       <search>
         <query>| inputlookup cars.csv | search car_number=* | dedup car_number | table car_number</query>
         <earliest>0</earliest>
         <latest></latest>
       </search>
       <default>*</default>
       <initialValue>*</initialValue>
     </input>
0 Karma

JacobPN
Path Finder

What I would like is that as soon as you select 'bmw' on the dropdown, then all bmw-cars get selected in the multiselect input. If you select 'vw' in the dropdown all vw-cars get selected in the multiselect input, and so on. Additonally, after you selected for example 'vw' in the dropdown, and all vw-cars have been selected in the multiselect input, you should be free to select one (or more) addional cars for the multiselect (which are then necessarily of a different brand).

So, in principle you only need the multiselect input to select cars. However it might take to long to select all cars that you want. Therefore I would like a dropdown to select all cars of a particular brand at once. (It's not necessary to use the dropdown twice, i.e. select all bmw cars AND all vw cars)

0 Karma

adonio
Ultra Champion

Ok, i think i understand now, just to verify, you would like some kind of opposite selection for example: if you pick VW the result in the multi select will be: [car1] [car2] [car3] ... carN and you can click X to remove them from the multi select?
the second requirement is that to use the dropdown to add a second car brand?
for the second requirement, why not use multi select for car brand as well?
Can you elaborate a little about your use case? its hard for me to visualize how a multi select form packed with car name is more convenient then finding your car alphabetically or any other logical order

0 Karma

JacobPN
Path Finder

There is no second requirement. The only requirement is that selecting a car brand in the first dropdown, all cars belonging to that car brand should get selected in the multiselect input.
So:

dropdown: choose bmw
as a consequence
multiselect: car1, car2, car4 get selected
(assuming car1, car2 and car4 are bmw's). After that, the user should be able to select additional cars in the multiselect box, or remove some of the cars that are selected.

A use case for this could be that you have a dashboard that displays certain facts about cars. For example: how many cars of a certain type have you sold. How many people own a certain type of car, etc. Selecting two cars could then result in the sum of such numbers for the two cars. In most cases you might be interested in the sum of all cars of a certain brand. Hence the need for a quick way to select all cars of that brand.

0 Karma

adonio
Ultra Champion

when selecting a car brand, the default is ALL (in this dashboard) you can create a table panel that will populate that list.
I dont know how to make the multi select contain all the values individually as a default.
Maybe someone can jump in and help with that topic. However, I still think it is easier and cleaner the way it is. you can create very dynamic and flexible panels with searches that answers your use case.
for example, when you select a brand, and it populates ALL by default, a quick | stats count search will give you a single value of all the cars under that brand. | table car_number will give you a table with all the cars in that brand, etc.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...