Filter a dashboard table by column values

bruceclarke · ‎05-20-2015

All,

I have a simple table visualization on a dashboard and I want to have the option to filter down to specific values for each column. For example, I have a column for the disk drive that data is coming from (for some machines this could be a C:, D:, E:, for others just a G:, etc) and I want to only show rows that have disk drive C:.

Right now I have a selector above the table that lists all the possible drives, sets a form input, and reissues a search for the tables content. That's annoying, since you have to wait for data to return again, even though you already know it's a subset of the data already in the table.

Does anyone know if there's a way I can filter a table like this without needing to reissue the query? Thanks!

kyaparla · ‎03-27-2017

Very late response, you might have figured a solution, but this is what I did for one of our use cases.

With text input with token "filtertext" and below post process search, can filter all the columns in the table.

| foreach * [eval filter=if((filter=1 OR match('<>',"(?i).$filtertext$.")),1,0)] | search filter=1 | fields - filter

aljohnson_splun · ‎05-20-2015

Post-process searches

Sometimes you end up with a dashboard running searches that are similar. You can save search resources by creating a base search for the dashboard. Panels in the dashboard use a post-process search to further modify the results of a base search. The base search can be a global search for the dashboard or any other search within the dashboard.

More here.

Post-process limitations

Post-process searches have limitations.

If the base search is a non-transforming search, Splunk Enterprise retains only the first 10,000 events returned. The post-process search does not process events in excess of this 10,000 event limit, silently ignoring them. This results in incomplete data for the post-process search. A transforming search as the base search helps avoid this limitation.
If the post-processing operation takes too long, it can exceed Splunk Web client’s non-configurable timeout value of 30 seconds. This can result in a timeout due to an unresponsive splunkd daemon/service. This scenario typically happens when you use a non-transforming search as the base search.

From the docs:

Form with post-process search for inputs

You can use a post-process search to dynamically populate inputs to a form. The following example shows a form with two inputs. The drop-down list, which selects an index to search, defines the choices statically. The drop-down list to select a source type statically defines the default choice but uses a post-process search to dynamically define the other choices.

Base search for populating the source type dropdown
index=_internal | stats count by sourcetype

Post process for dropdown input
| search sourcetype=splunkd*

<form>
  <label>Post Process in Form Inputs</label>

  <!-- Global search for post process by dropdown input -->
  <!-- Search uses stats command to limit results to less than 10,000 limit -->
  <search id="searchInput">
    <query>index=_internal | stats count by sourcetype</query>
    <earliest>-60min</earliest>
    <latest>now</latest>
  </search>

  <fieldset submitButton="false">

    <!-- Select an index from two static choices -->
    <input type="dropdown" token="index_tok" searchWhenChanged="true">
      <label>Select an index to search</label>
      <choice value="_internal">Internal</choice>
      <choice value="*">All public indexes</choice>
      <default>_internal</default>
    </input>

    <!-- Dynamically populate choices -->    
    <input type="dropdown" token="sourcetype_tok" searchWhenChanged="true">
      <label>Select a source type</label>

      <!-- default choice is all sourcetypes -->
      <choice value="*">All sourcetypes</choice>
      <default>*</default>

      <!-- Post-process search to dynamically populate choices -->
      <search base="searchInput">
        <query>search sourcetype=splunkd*</query>
      </search>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>

    </input>
    <input type="time" token="time_tok" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <title>Chart</title>
        <search>
          <query>
            index=$index_tok$ sourcetype=$sourcetype_tok$ | timechart count
          </query>
          <earliest>$time_tok.earliest$</earliest>
          <latest>$time_tok.latest$</latest>
        </search>
      </chart>
    </panel>
  </row>
</form>

bruceclarke · ‎05-21-2015

I don't think this is quite what I want.

Imagine I have a search that returns a table of restaurant information. I have a zip code input that drives the initial population of the table (e.g. get me all restaurants in that zip code). The table is then populated with a bunch of columns, two of which are "cuisine" and "average price." I want to filter down the table to only Italian cuisine and order by average price. Right now, I need to have an input that reissues the query with the "Italian" filter.

All I should need to do is have a filter on the table. Issuing a separate query is unnecessary and adds unneeded load time to the dashboard. If this functionality doesn't exist, I can file an enhancement request.

jasonang · ‎12-30-2015

Bruce, did you get this answered? I have the same question. Thanks.

bruceclarke · ‎12-30-2015

Hi jasonang - I didn't get a response, but I did file an enhancement request. Case 303365