All Apps and Add-ons

How to populate the fields in second pulldown based on the selected field in first pulldown using sideview

disha
Contributor

I have a first pulldown "eventDescription". Based on the selected event description I need to populate additional pulldowns with related fields. How we can achieve this with sideview.
Refering to the question http://splunk-base.splunk.com/answers/58060/second-dropdown-is-not-getting-populated
How we can do this with sideview app. As I am using sideview pulldowns. I went to sideview documentation but not able to find it. Please guide.
Thanks in advance.

sideview
SplunkTrust
SplunkTrust

You're right - this should be added as an example to the docs!.

In the meantime, I've included a working example below that will work with the _internal data.

Note that with the Sideview Pulldown module there's no special "internal" search to configure, and you can plug the selected $foo$ tokens back into searches without using any intentions.

So I'm not going to say it's simple, because advanced XML is never particularly simple, but it's at least pretty easy once you get the hang of it.

<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
  <param name="search">index=_internal source="*metrics.log" group="per_*_thruput" | dedup group | sort group</param>
  <param name="earliest">-1h</param>
  <param name="latest">now</param>

  <module name="Pulldown">
    <param name="name">group</param>
    <param name="label">Group</param>
    <param name="template">$name$="$value$"</param>
    <param name="valueField">group</param>

    <module name="Search">
      <param name="search">index=_internal source="*metrics.log" $group$ | dedup series | sort series</param>
      <param name="earliest">-1h</param>
      <param name="latest">now</param>

      <module name="Pulldown">
        <param name="name">series</param>
        <param name="label">Series</param>
        <param name="template">$name$="$value$"</param>
        <param name="valueField">series</param>

        <module name="Search">
          <param name="search">index=_internal source="*metrics.log" $group$ $series$ | stats min(eps) avg(eps) max(eps) by series</param>
          <param name="earliest">-1h</param>
          <param name="latest">now</param>

          <module name="Pager">      
            <module name="Table"></module>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

In english we set up a Search module, and then the Pulldown module downstream will use that dispatched search to get its results and populate itself. Then the selection from that first Pulldown is just plugged right into a second Search module (note $group$), there's a second Pulldown module that will use the second search to populate itself. Then finally, downstream from the second Pulldown, the selection from both Pulldowns are plugged right into a third Search module (note $group$ $series$). And then we finally render the stats for the selected group and series in a Table module.

For more advanced users that don't want to spend one whole search to render each Pulldown, with the Sideview Pulldown module you can rig up both Pulldowns to work from a single search,

index=_internal source="*metrics.log" group="per_*_thruput" | stats count by group series

and then use the Pulldown's postProcess param to slice out just the group values, or just the series values, as desired for each Pulldown. Check out the docs for more details about postProcess.

Note: this example will only work with latest Sideview Utils - the valueField param replaced the searchFieldsToDisplay param as of 2.0, and the Table module is new in Sidevuew Utils 2.2

http://sideviewapps.com/apps/sideview-utils/

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...