Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create dashboard filters with lookups?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create dashboard filters with lookups?
Hello,
I am trying to create dashboard filters (multiselect) using a lookup. The filters I am trying to add to my report are region,country, and location. The location field exists in my event data and I want to match that location on the service_receipt_location of my lookup to pull in region, country, and location and filter on those. I am having some problems figuring out how to do that in my search query. I have the drop down filters working correctly. Below is the HTML code for the filters. Can you please help me figure out how to put these in my search? Thank you!
<input type="multiselect" searchWhenChanged="true" token="region">
<label>Region</label>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>Region="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<search>
<query>| inputlookup CallCenterSites.csv | stats count by Region</query>
</search>
<fieldForLabel>Region</fieldForLabel>
<fieldForValue>Region</fieldForValue>
<choice value="*" OR NOT Region= "*">All</choice>
<default>"*"" OR NOT Region= ""*"</default>
</input>
<input type="multiselect" searchWhenChanged="true" token="country">
<label>Country</label>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>Country="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<choice value="*" OR NOT Country="*">All</choice>
<search>
<query>| inputlookup CallCenterSites.csv | search $region$ | stats count by Country</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
</search>
<fieldForLabel>Country</fieldForLabel>
<fieldForValue>Country</fieldForValue>
<default>"*"" OR NOT Country=""*"</default>
</input>
<input type="multiselect" searchWhenChanged="true" token="loc">
<label>Location</label>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>Service_Recipient_Location="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<choice value="*" OR NOT Service_Recipient_Location="*">All</choice>
<search>
<query>|inputlookup CallCenterSites.csv| search $country$ | stats count by Service_Recipient_Location</query>
<earliest>0</earliest>
</search>
<fieldForLabel>Service_Recipient_Location</fieldForLabel>
<fieldForValue>Service_Recipient_Location</fieldForValue>
<default>"*"" OR NOT Service_Recipient_Location=""*"</default>
</input>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
If your raw data contains a field Service_Recipient_Location and you want to apply all filters than you can write the query like:
index=foo sourcetype=bar $region$ $country$ $loc$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your raw data contains field called (same case) Service_Recipient_Location then your search can be like this
index=foo sourcetype=bar $loc$
If the field name is different, you'd need to rename the field in dropdown 3 for Location (rename at the end of search, update fieldForValue/fieldForLabel/default/choice/prefix etc with appropriate fieldname)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
okay I changed the lookup to be named location but that doesn't help me filter on region or country- only on location
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
