nested dropdowns in dashboard

dxw350 · ‎06-28-2017

If you have two dropdowns for a dashboard where the second dropdown is dependent on the first, is there a way to create this using dynamic fields in the UI creation tab? I only found that you need to use something like "populatingsearch" but that is not part of the UI creation tab as follows and it is not working:

  <label>Firewall</label>
  <choice value="Tfw*">T firewalls</choice>
  <choice value="Xfw*">X firewalls</choice>
  <choice value="*">All Locations (includes JC)</choice>
  <fieldForLabel>host</fieldForLabel>
  <fieldForValue>host</fieldForValue>
  <default>*</default>
  <delimiter> OR </delimiter>
</input>
<input type="dropdown" token="param_fwname">
  <label>fwname</label>
  <fieldForLabel>host</fieldForLabel>
  <fieldForValue>host</fieldForValue>
  <populatingsearch>earliest="0" latest="" fieldForLabel="fwname" fieldForValue="fwname"  index=firewall_juniper param_fw=$param_fw$|dedup param_fw</populatingsearch>
  <choice value="*">all</choice>
</input>

dxw350 · ‎06-28-2017

Hi. So I got it to work with the script dashboard example in Splunkbase for cascade drop down. I don't understand why the following was needed as described in the Splunk cascade

|stats count by host (in my case) or |stats count by sourcetype (as stated in the splunk dashboard example). Couldn't I have just used |search host ?????

niketn · ‎06-28-2017

| stats count by host is a way of getting unique hosts (since stats work better than most other resource consuming commands)

another option instead of stats could have been

| dedup host

In my example above I had used

| head 1

This one seemed to be the fastest based on your use-case as I understood. Please run Job Inspector and analyze your various search performance prior to choosing any specific approach.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

dxw350 · ‎06-28-2017

thank you. I will look at the search since it looks like that replaced "populatingsearch" in my 6.5 version

niketn · ‎06-28-2017

@dxw350, you have mentioned two dropdowns in your question however, your first input seems to have delimiter tag which is not supported by Dropdown. Do you want to use multiselect or dropdown as first input?

Following should get you two dropdowns where 2nd runs a search based on value selected in the first dropdown.

    <input type="dropdown" token="param_fw" searchWhenChanged="true">
      <label>Firewall</label>
      <choice value="Tfw*">T firewalls</choice>
      <choice value="Xfw*">X firewalls</choice>
      <choice value="*">All Locations (includes JC)</choice>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <default>*</default>
    </input>
    <input type="dropdown" token="param_fwname">
      <label>fwname</label>
      <choice value="*">all</choice>
      <search>
        <query>index=firewall_juniper param_fw=$param_fw$ earliest="-1d@d" latest=now
 | head 1</query>
      </search>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <default>*</default>
    </input>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

somesoni2 · ‎06-28-2017

Based on version of Splunk you're using, the populatingsearch is replaced by just 'search'. See this
http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/PanelreferenceforSimplifiedXML#dropdown

Also, download and look at Splunk 6.x dashboard example app https://splunkbase.splunk.com/app/1603/ for cascading inputs/dropdowns and other many examples.

nested dropdowns in dashboard

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM