Thanks, now I see it, and it's set to app permissions. I'll work with our Splunk admins to update this. ... View more

thanks, i'll work with the splunk admins. ... View more

i am on v 6.6.10. So I can't run this in all the apps with a search bar? it only works in search app? Everyone here uses their own department's app to segregate pci/phi/etc with permissions. ... View more

This is it. Thanks! It works. As fast as my other method too, albeit a bit more complex, it avoids the join, which is good. ... View more

Thanks, i'll take a look at SplunkJS. If it has to be installed, and if we don't have it, we probably won't get it. For 2), i'm not sure what SPL is. Can you clarify? Also, where would I use the independent search? ... View more

good idea. ill use another env. I'll try to find some time. ... View more

thanks, this works. I don't think I can escape having an ever increasing list of conditions when new panels get added, but this looks doable. I get to keep them all on a single input dropdown. I added a condition so "All" will work, based on the value of another dropdown (the one higher up in the hierarchy) <change> <condition match="('value' == &quot;%&quot; AND $field3$ == &quot;4.1&quot;) OR 'value' == &quot;4.1.1&quot; OR 'value' == &quot;4.1.2&quot;"> <set token="form.field4">%</set> <set token="showPanel">true</set> </condition> <condition match="$value$ == &quot;None&quot;"> <set token="form.field4">None</set> <unset token="showPanel"></unset> </condition> <condition match="$value$ != &quot;None&quot;"> <set token="form.field4">%</set> <unset token="showPanel"></unset> </condition> <condition> <unset token="showPanel"></unset> </condition> </change> ... View more

thanks. this works. I like the [] syntax better so I don't have to escape the double quotes, but this will do. the dropdown is dynamically created so unfortunately I need the map. Do I have to add a |s suffix to other internal variables (e.g. $var|s$) so user input of var will have its double quotes escaped? ... View more

you're right about search and where, however, the test is not the same. i think what i'm saying, in my example, is that if the * had to be extracted from a variable, then it will be treated as a literal, even in search. it's almost like it's trying to do this (notice the escape char) if the value was extracted from a variable that's absent here, or token actually. index=_* | search sourcetype="splunk\*" i can tell you my initial query absolutely does not work. normally I modify what i post from the actual but in this example, it is the exact one, so no inadvertent modifications upon using it. i created a tiny dashboard with both your query and mine. yours works, as you claim it should, and mine doesn't. in yours, it's extracting the * from the token and using it as a wildcard, but in mine it doesn't. the only difference is the AppNo is coming from a lookup table instead of a log file. below is the tiny dashboard used to compare. to test, though, you may have to change the queries slightly and create an actual lookup table with "AppNo", "FuncNo", "Functionality" with values 1, 1, whatever. I expect to get the values of the lookup table in my query (the first one) like i get values in my log file from yours (the bottom one) Test Dash <input type="dropdown" token="app" searchWhenChanged="true"> <label>Application</label> <choice value="None">None</choice> <choice value="*">All</choice> <search> <query/> <earliest>-24h@h</earliest> <latest>now</latest> </search> <default>None</default> <initialValue>None</initialValue> </input> <panel> <html> <h4>app: $app$</h4> </html> </panel> <panel> <table> <search> <query>| inputlookup Functionalities.csv | search AppNo=$app$</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> <panel> <table> <search> <query>index=* earliest=-10m@m latest=-0m@m | search sourcetype=$app$</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> ... View more

Would the same apply to anything that has inescapable limits, like map too? That has limits that I have reached. I need some solution that maintains the lower table's row-independence. ... View more

This is interesting. Like the first solution, however, this places all functionalities on a single row. i need them all on separate rows. Can we use lookup but create one row per functionality? The result set here feeds into another query, and that result set into another, so they need to retain their independence. ... View more

this solution won't scale then, since it will match and break out of the change tag. I need a solution that will allow for multiple panels each with their own condition that may overlap. sorry to be difficult, but am I otherwise correct in asserting that Splunk does not allow multiple condition sets on an input panel? ... View more

It looks like you removed the part where only 1 of 2 values are supposed to show the panel, that being 4.1.1 and 4.1.2 in field1. all other values should hide the panel. would this be as simple as adding a match to the last condition of field2? ... View more

this is good to know, thanks; however, did you state that last part backwards? search is actually what doesn't work. where, however, works. ... View more

I'll have to get specific. The 2 conditions do unrelated things. it's a dropdown that's populated based on the values of yet another dropdown. there's 4 dropowns in linear hierarchy if it helps. this is the 3rd one down. If "None" is chosen, then i want the 4th dropdown to show "None". If anything else is chosen, then I want the 4th dropdown to show "All" until the user selects a different one. this is independent of the panel i want to show. If 2 values are specifically chosen, then i want a particular panel to show. it's specific to a value chosen in the 1st, 2nd, and 3rd dropdowns, but there's enough info in the 3rd dropdown only at the moment to know. this will stay off most of the time since that panel's values can change a lot and those 2 values may not even be in the resultset based on what the user chose in the 1st and 2nd dropdown. There are going to be a lot of specific panels based on dropdown values, so a solution should scale nicely. hope this clears it up. ... View more

thanks for the reply. unfortunately, since the conditions are unrelated, i cannot set the input2 value at the time i decide whether to show the panel. I should have clarified this earlier, sorry. ... View more

I have updated my answer to give sample data for the first 2 tables. The other 2 are linearly below these in the hierarchy but not necessary to get this working. Why do you state join is a wrong approach? Under what circumstances would it be a correct approach? ... View more

I got this working using where like(), which requires double quotes and %. | inputlookup Functionalities.csv | where like(AppNo, "$app$") $app$ can contain a number or a % and it will pull either the entire csv or a subset of it. For those where a * value works, that is certainly easier, but for me, for some unknown reason, wildcard asterisks act as literals when its a value of a variable. If this is the case for you, this is a 2nd way to write it. ... View more

I tried this as well. I have found a workaround using like() that I will post, but it has the double " that you mention as necessary. ... View more

perhaps it is related to the version of splunk. luckily this is a simple test so i can attest this does not work on our version 6.6.10.2b5f6c3d5f96 ... View more

thanks! that works better. apparently i can ask a question but not edit it right after. ... View more

this reputation crap is terrible. i can't correct the above to html encode the asterisk. please re-read the value of $app$ as "*" ... View more