Splunk Search

Dashboard inherited inputs

joock3r
Explorer

Hey all,

I'm building new dashboard that contains 2 multiselect values:

Site: USA, Romania, Turkey.... (only countries)

Campus: USA1,USA2,Romania1,Romania2.... (contains the country's name and number).

I want that when I select country/countires in Site multiselect value I will see only options to select the relevant campuses in Campus multiselect value.

How can I create inherited rule that the Campus will inherit from Site value?

Thanks.

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
<form version="1.1" theme="light">
  <label>Multi-select filtered</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="alloptions" searchWhenChanged="true">
      <label>Select site</label>
      <choice value="All">All</choice>
      <search>
        <query>
| makeresults format=csv data="Country
USA
Romania
Turkey"
| table Country
        </query>
      </search>
      <fieldForLabel>Country</fieldForLabel>
      <fieldForValue>Country</fieldForValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
      <change>
        <eval token="form.alloptions">case(mvcount('form.alloptions')=0,"All",mvcount('form.alloptions')&gt;1 AND mvfind('form.alloptions',"All")&gt;0,"All",mvcount('form.alloptions')&gt;1 AND mvfind('form.alloptions',"All")=0,mvfilter('form.alloptions'!="All"),1==1,'form.alloptions')</eval>
        <eval token="countrychoice">if($form.alloptions$=="All","","| where Country IN (".$alloptions$.")")</eval>
      </change>
    </input>
    <input type="multiselect" token="campus" searchWhenChanged="true">
      <label>Select Campus</label>
      <search>
        <query>
| makeresults format=csv data="Country,Campus
USA,USA1
USA,USA2
Romania,Romania1
Romania,Romania2
Romania,Romania3
Turkey,Turkey1
Turkey,Turkey2
Turkey,Turkey3
Turkey,Turkey4"
$countrychoice$
| table Campus
        </query>
      </search>
      <fieldForLabel>Campus</fieldForLabel>
      <fieldForValue>Campus</fieldForValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
    </input>
  </fieldset>
</form>

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @joock3r ,

id depends on the data source:

if you have a lookup containing two columns (country and campus), you can fiter the second dopdown using the choice in the first, somthing like this:

| inputookup your_lookup.csv WHERE country=$token1$
| fields campus

if instead you have only one list (USA 1, USA 2, Romania 1, Romania 2, Turkey 1, Turkey2), you should extract the country from the list using a regex, e.g. something like this (having only one column called campus, containing always the country and a number):

first dropdown

| inputookup your_lookup.csv
| rex field=campus "^(?<country>[^0-9]+)\d+"
| fields country

second dropdown:

| inputookup your_lookup.csv
| rex field=campus "^(?<country>[^0-9]+)\d+"
| search country="$token1$"
| fields campus

Ciao.

Giuseppe

 

ITWhisperer
SplunkTrust
SplunkTrust

For the campus dropdown, use a search which filters the campuses based on the token value from the countries dropdown

0 Karma

joock3r
Explorer

I thought about that but didn't succeed to edit the dynamic options for the Campus value.
I tried 

 | search $site.token$=$campus.token$*

When $site.token$ is for Site value and $campus.token$* is for Campus value.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
<form version="1.1" theme="light">
  <label>Multi-select filtered</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="alloptions" searchWhenChanged="true">
      <label>Select site</label>
      <choice value="All">All</choice>
      <search>
        <query>
| makeresults format=csv data="Country
USA
Romania
Turkey"
| table Country
        </query>
      </search>
      <fieldForLabel>Country</fieldForLabel>
      <fieldForValue>Country</fieldForValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
      <change>
        <eval token="form.alloptions">case(mvcount('form.alloptions')=0,"All",mvcount('form.alloptions')&gt;1 AND mvfind('form.alloptions',"All")&gt;0,"All",mvcount('form.alloptions')&gt;1 AND mvfind('form.alloptions',"All")=0,mvfilter('form.alloptions'!="All"),1==1,'form.alloptions')</eval>
        <eval token="countrychoice">if($form.alloptions$=="All","","| where Country IN (".$alloptions$.")")</eval>
      </change>
    </input>
    <input type="multiselect" token="campus" searchWhenChanged="true">
      <label>Select Campus</label>
      <search>
        <query>
| makeresults format=csv data="Country,Campus
USA,USA1
USA,USA2
Romania,Romania1
Romania,Romania2
Romania,Romania3
Turkey,Turkey1
Turkey,Turkey2
Turkey,Turkey3
Turkey,Turkey4"
$countrychoice$
| table Campus
        </query>
      </search>
      <fieldForLabel>Campus</fieldForLabel>
      <fieldForValue>Campus</fieldForValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
    </input>
  </fieldset>
</form>
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...