Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using Lookups to dynamically populate a dashboard

davidpaper
Contributor
‎04-21-2016 06:33 AM

I would like to use a lookup table with multiple columns to populate multiple fields for use later in a dashboard. Specifics look like this:

dropdown_input,index,sourcetype,source
value1,val1_data,val1_srctype,val1_source
value2,val2_data,val2_srctype,val2_source

I want to use the dropdown_input as a pulldown selector, and when submitted, to have $dropdown_input$, $index$, $sourcetype$, and $source$ available for use in SPL queries.

Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-21-2016 12:11 PM

This should do:

<input type="dropdown" token="magic" searchWhenChanged="true">
  <label>Choose Service</label>
  <search>
    <query>| inputlookup cerby.csv | eval magic = index . "#c#e#r#b#y#" . sourcetype . "#c#e#r#b#y#" . source</query>
  </search>
  <selectFirstChoice>true</selectFirstChoice>
  <fieldForLabel>dropdown_input</fieldForLabel>
  <fieldForValue>magic</fieldForValue>
  <change>
    <condition value="*">
      <eval token="index">mvindex(split($value$, "#c#e#r#b#y#"), 0, 0)</eval>
      <eval token="sourcetype">mvindex(split($value$, "#c#e#r#b#y#"), 1, 1)</eval>
      <eval token="source">mvindex(split($value$, "#c#e#r#b#y#"), 2, 2)</eval>
    </condition>
  </change>
</input>

The input itself can only set one token, so this sets a magic token containing several tokens that then get extracted into individual tokens.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-21-2016 12:11 PM

This should do:

<input type="dropdown" token="magic" searchWhenChanged="true">
  <label>Choose Service</label>
  <search>
    <query>| inputlookup cerby.csv | eval magic = index . "#c#e#r#b#y#" . sourcetype . "#c#e#r#b#y#" . source</query>
  </search>
  <selectFirstChoice>true</selectFirstChoice>
  <fieldForLabel>dropdown_input</fieldForLabel>
  <fieldForValue>magic</fieldForValue>
  <change>
    <condition value="*">
      <eval token="index">mvindex(split($value$, "#c#e#r#b#y#"), 0, 0)</eval>
      <eval token="sourcetype">mvindex(split($value$, "#c#e#r#b#y#"), 1, 1)</eval>
      <eval token="source">mvindex(split($value$, "#c#e#r#b#y#"), 2, 2)</eval>
    </condition>
  </change>
</input>

The input itself can only set one token, so this sets a magic token containing several tokens that then get extracted into individual tokens.

Reply
Solved! Jump to solution

rjthibod
Champion
‎04-21-2016 10:59 AM

Are JS extensions in splunkjs an option or are you required to only use Simple XML?

0 Karma
Reply
Solved! Jump to solution

davidpaper
Contributor
‎04-21-2016 12:17 PM

Only Simple XML.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...