Dashboards & Visualizations

How to perform Cross inputlookup validation on dashboard panel?

hatalla
Path Finder

I have a dashboard panel with input text field A that upon submitting the form, will be appended to column A in inputlookup X. But prior to appending, I need to validate if field A from inputlookup X matches any of the field values in field B in inputlookup Y. If field A from inputlookup X matches field B from inputlookup Y then display an error message and abort the append.

Any ideas on how to perform this sort of cross lookup validation?

Thanks so much.

0 Karma
1 Solution

elliotproebstel
Champion

The basic pattern you're describing is this:
1. Look up field A from event in file Y, where it is known as B
2. If there is a result in step 1, then output some sort of flag
3. Filter out all results with flag set
4. Append remaining items (if any) to file X

Look up field A from event in file Y, where it is known as B
As I don't know if there are any other fields in file Y, I'll just output B again and name it flag_field for demonstration purposes.

| lookup Y B AS A OUTPUT B as flag_field

This step also output the flag, so step 2 is accomplished.

Filter out all results with flag set
Here I'll use where to look for events that do not have the field flag_field (e.g. where it is null)

| where isnull(flag_field)

Append remaining items (if any) to file X

| outputlookup append=t X

If there were no results after the filter, this will have no effect.

Full query

your base search that contains events with field A
| lookup Y B AS A OUTPUT B as flag_field
| where isnull(flag_field)
| outputlookup append=t X

View solution in original post

0 Karma

elliotproebstel
Champion

The basic pattern you're describing is this:
1. Look up field A from event in file Y, where it is known as B
2. If there is a result in step 1, then output some sort of flag
3. Filter out all results with flag set
4. Append remaining items (if any) to file X

Look up field A from event in file Y, where it is known as B
As I don't know if there are any other fields in file Y, I'll just output B again and name it flag_field for demonstration purposes.

| lookup Y B AS A OUTPUT B as flag_field

This step also output the flag, so step 2 is accomplished.

Filter out all results with flag set
Here I'll use where to look for events that do not have the field flag_field (e.g. where it is null)

| where isnull(flag_field)

Append remaining items (if any) to file X

| outputlookup append=t X

If there were no results after the filter, this will have no effect.

Full query

your base search that contains events with field A
| lookup Y B AS A OUTPUT B as flag_field
| where isnull(flag_field)
| outputlookup append=t X
0 Karma

hatalla
Path Finder

@ elliotproebstel - thanks so much for your answer, that solution worked 🙂

Is there a way to display an alert box or something if there is a field match between field A on lookup X and field B on lookup Y - just to notify/alert the user that the entered value will NO be appended to lookup X.

Thanks.

0 Karma

hatalla
Path Finder

Awesome thanks. I used the "simple XML" route and added a conditional panel that hide/displays depending upon returned events.

As far as using JS, that means converting the panel from XML to HTML; is that correct? I came across this http://dev.splunk.com/view/SP-CAAAEM2 as far as configuring HTML panels; was wondering if you know of a more comprehensive developer guid on working with HTML panels; as in:

  • JS validation on input fields.
  • Grabbing field values from the result set.
  • Looping through the result set.

Thanks so much.

0 Karma

elliotproebstel
Champion

Actually, you don't need to convert the SimpleXML to HTML in order to add JS. You just modify the source code of your dashboard by adding a reference to the Javascript file into the <dashboard> element like this: <dashboard script="my_js_file.js">. Then place the JS file into $SPLUNK_HOME/etc/apps/<appname>/appserver/static with appropriate permissions. To make Splunk pick up the new JS file, you'll need to do a debug/refresh by visiting:
http[s]://splunkservername:splunkport/en-US/debug/refresh

I think this is a pretty comprehensive guide to get started on adding a JS file to your dashboard:
http://dev.splunk.com/view/dev-guide/SP-CAAAE25

0 Karma

elliotproebstel
Champion

Sure thing. You could use javascript to test the results of the search and take an action, such as popping up an alert box.

If you don't feel comfortable in javascript and want to stick to Simple XML, you could add some token-based logic into your dashboard, using the guidance from this doc:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Viz/tokens#Search_tokens_for_dynamic_display_...

Step 1: Set token
Edit the source code of your dashboard. Look for the <search> element that you coded with the code above. You'll modify it like this:

<search>
 <query> ... </query>
 <earliest> ... </earliest>
 <latest> ... </latest>
 <done>
  <condition match"'job.resultCount' == 0">
   <set token="show_alert">true</set>
  </condition>
  <condition>
   <unset token="show_alert" />
  </condition>
 </done>
</search>

Note: don't modify the elements I've denoted with ... - those are placeholders.

Step 2: Configure panel to display based on token setting
Add a panel to your dashboard that simply contains the alert you'd like to display. Edit the source code of the dashboard, and in the <panel> element for the alert panel, add a depends clause like this:

<panel depends="$show_alert$">

More info about showing and hiding content on a dashboard can be found here:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Viz/ContextualDrilldown#Show_or_hide_content

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...