It's actually easy enough with a bit of inline CSS - see this simple XML dashboard example, which hides the colour dropdown and sets the colour to black. If you select A, C or D then the colour dropdown is re-shown. <form version="1.1" theme="light"> <label>ddl</label> <fieldset submitButton="false"> <input type="dropdown" token="component" searchWhenChanged="true"> <label>Component</label> <choice value="A">A</choice> <choice value="B">B</choice> <choice value="C">C</choice> <choice value="D">D</choice> <change> <eval token="display_colour">if($component$="B", "display:none", "")</eval> <eval token="colour_name">if($component$="B", "No Colour", $colour_name$)</eval> <eval token="form.colour">if($component$="B", "#000000", $form.colour$)</eval> <eval token="colour">if($component$="B", "#000000", $colour$)</eval> </change> </input> <input type="dropdown" token="severity" searchWhenChanged="true"> <label>Severity</label> <choice value="Info">Info</choice> <choice value="Warning">Warning</choice> </input> <input id="colour_dropdown" type="dropdown" token="colour" searchWhenChanged="true"> <label>Colour Dropdown</label> <choice value="#000000">Black</choice> <choice value="#ff0000">Red</choice> <choice value="#00ff00">Green</choice> <choice value="#0000ff">Blue</choice> <change> <set token="colour_name">$label$</set> </change> </input> </fieldset> <row depends="$AlwaysHideCSS$"> <panel> <html> <style> #colour_dropdown { $display_colour$ } </style> </html> </panel> </row> <row> <panel> <html> <h1 style="color:$colour$">Component $component$, Severity Level $severity$, Colour $colour_name$</h1> </html> </panel> </row> </form>   ... View more

What @richgalloway said, but whenever you reference a JSON field containing dots in the right hand side of an eval you MUST wrap the field name in single quotes, i.e. the first suggestion should be eval Error=case(isnotnull('attr.error'), 'attr.error', isnotnull('attr.error.errmsg'), 'attr.error.errmsg') but for your solution the coalesce() option would make sense - note there the use of single quotes - always for the right hand side of the eval.  This applies not just to JSON field names, but any field name that contains non simple characters or field names that start with numbers. ... View more

I don't quite follow you. but it seems like you only need a single drop down index=$index$ (source="/log/test.log" $host$ ) | rex field=name "(?<DB>[^\.]*)" | stats count by DB What is selecting your index and host fields Can you share more of your dashboard XML.  Note that the above doesn't do the rename or table, as they are not necessary - just use DB as the fields for label/value rather than Database. ... View more

1) c doesn't exist unless it is a value in WriteType and even then it will contain a count not "test" or "qa" 2) No, you can only have two fields with chart. Perhaps it would be better if you explained what you are trying to do, and share some representative anonymised sample events? (I may have said that before a few times!) ... View more

Here's a simple example <form version="1.1"> <label>HostDropdown</label> <fieldset submitButton="false"> <input type="dropdown" token="hosts" searchWhenChanged="true"> <label>Host Types</label> <choice value="prodhost*">Production</choice> <choice value="qahost*">QA</choice> <choice value="testhost*">Test</choice> </input> </fieldset> <row> <panel> <table> <search> <query> index=aaa source="/var/log/test1.log" host=$hosts$ |stats count by host </query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form> I suggest you look at this and have a look through the documentation that describes this https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML   ... View more

That's correct because label has to be unique, in this case it will not generate unique label. I would suggest set the label as well with host field, because host name already tells you whether its QA or Prod or Dev.   I hope this helps!!! ... View more

No, you cannot get the index name from a log file. The index is specified when the data is onboarded as part of the inputs.conf settings. At search time, data is fetched from one or more indexes.  Getting the index from a log file would mean going to an index to get a log file to get the name of an index.  Doesn't make much sense. What problem are you trying to solve? ... View more

host is same across all the env. i am facing issue when i bind the same value to drop down list saying "Duplicate values causing conflict". But i need dropdown list with TEST/QA/PROD(label) with same host value. - how can i achieve this? ... View more

The timeframe you showed (which I removed) applies to the search to dynamically populate the dropdown. Since you don't have a search to populate the dropdown (as shown by your error message), you don't need the timeframe here. You can still use the time in other parts of your dashboard. ... View more

So we have to create two different drop down list for each path and show/hide can be used? ... View more

Just to clarify, the depends attribute works on the presence / absence of a token having a non-null value, not on a specific value of the token. Without the rest of the dashboard, it is not clear whether you are using tokens in this way. ... View more

Hi @Jasmine, "app" and "servie" are not default Splunk fields, although they may be extracted in your search context. If you're using the search interface to explore data, make sure you're running searches in "Smart Mode" (preferably) or "Verbose Mode." The mode selector is just below the magnifying glass search button. ... View more

If the query worked, you can mark it as a solution. It'll will help someone who refers similar thing in future. Cheers!! ... View more

@Jasmine  Have you tried to achieve this by adding a custom click event on Submit button using JS Extention? KV ... View more

It's impossible to help you without your dashboards codes etc. ... View more

Hi @Jasmine , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

The evals use the Error field, but have you confirmed the field exists?  Please show the SPL prior to the eval. ... View more

Read the docs or forms and simplexml.  You can just "unset" the control's form and value manually to force it to reset to it's default value. ... View more

Assuming you're using simple xml, Edit your dashboard xml to add timerange elements in your dropdown search. <input type="dropdown" token="dropdownToken" searchWhenChanged="true"> <label>Dropdown label</label> <fieldForLabel>value</fieldForLabel> <fieldForValue>value</fieldForValue> <search> <query>your dropdown search</query> <earliest>$timerange.earliest$</earliest> <latest>$timerange.latest$</latest> </search> </input>   ... View more

Customize dashboard styling and behavior - Splunk Documentation ... View more

Can you please suggest better solution for the above. ... View more

This question is a bit of a mess and I cannot make sense of it.  Probably you should start over and be more clear.  We usually do not care much about your existing SPL.  What we REALLY care about is CLEAR SAMPLE DATA (preferably with generation SPL, like I show below) and CLEAR DESIRED OUTPUT.  It looks VERY much like your data is being sent in wrong and that each current event is actually multiple events.  You should reindex it and break up these event clumps into single events.  If the problem is that each clumped event lacks a correlation ID (so if you split them, the relationship is lost), then you should take a look at cribl because it has a feature to do this.  You can contact me directly because that discussion is more complicated than we can do here. In any case, here is what I have for a start:   | makeresults | eval _raw=" 2023-03-31 05:14:16,447 - __main__ - INFO - {\"Id\": \"123456JKL\", \"Table1\": \"employee\", \"Time1\": \"3.04\"}" | append [| makeresults | eval _raw="2023-03-31 05:14:16,393 - __main__ - INFO - {\"Id\": \"123456JKL\", \"Table2\": \"salary\", \"Time2\": \"4.05\"}"] | append [| makeresults | eval _raw=" 2023-03-31 05:20:16,393 - __main__ - INFO - {\"Id\": \"123456JKL\", \"Table3\": \"salary1\",\"PayLoad\": {\\\"type\\\":\\\"test\\\",\\\"name\\\":\\\"jas\\\"}"] | eval _time = strptime(_raw, "%Y-%m-%d %H:%M:%S,%3N") | kv pairdelim="{,}" kvdelim=":"   ... View more