Input to splunk is a csv file which has column headers like 'Falcon 15.01.01.03.100', 'Falcon GA 15.01.02.06.1'.. (there are values present under each of these columns in rows). on dashboard, there are 2 dropdowns.
Both the dropdowns should have values of these column header i.e. which has Falcon word in it. Only thing I want is, Value which is selected in 1st dropdown , should not be displayed in 2nd. Means if search returns 3 results, 1st dropdown should have 3 values in it and after selecting the one value from 1st dropdown.. second should have only 2 values in it.
in 1st dropdown, M executing this query: input.csv|fieldsummary Falcon | dedup field | table field >> returning me 3 results
What query should I execute in 2nd dropdown for above mentioned scenario?
Thanks in advance!!
@gpayal18 would you be able to share the code for your 2 drop downs? Based on the selected value in dropdown 1, you can add a search filter in the second dropdown. There is an example in Splunk Dashboard Examples App to create Cascaded Drilldowns which you can refer.
Following run anywhere example creates two inputs with same three dropdown values field1
and field2
. Value of field1
is used in field2 | search values!="$field1$"
. Additionally, field2
dropdown is hidden until field1
value is selected using depends attribute i.e. depends="$field1$"
<input type="dropdown" token="field1" searchWhenChanged="true">
<label>field1</label>
<fieldForLabel>fields</fieldForLabel>
<fieldForValue>values</fieldForValue>
<search>
<query>| makeresults
| fields - _*
| eval field1="value1", field2="value2", field3="value3"
| transpose column_name=fields
| rename "row 1" as values</query>
</search>
</input>
<input type="dropdown" token="field2" searchWhenChanged="true" depends="$field1$">
<label>field2</label>
<fieldForLabel>fields</fieldForLabel>
<fieldForValue>values</fieldForValue>
<search>
<query>| makeresults
| fields - _*
| eval field1="value1", field2="value2", field3="value3"
| transpose column_name=fields
| rename "row 1" as values
| search values!="$field1$"</query>
</search>
</input>
Thanks a lot!! Adding this parameter 'search values!="$field1$"' worked.
@gpayal18 glad it worked. While posting code/data on Splunk Answers make sure you use Code button (101010) or Shortcut Ctrl+K
after highlighting the code text. So that special characters do not escape!
@gpayal18 would you be able to share the code for your 2 drop downs? Based on the selected value in dropdown 1, you can add a search filter in the second dropdown. There is an example in Splunk Dashboard Examples App to create Cascaded Drilldowns which you can refer.
Following run anywhere example creates two inputs with same three dropdown values field1
and field2
. Value of field1
is used in field2 | search values!="$field1$"
. Additionally, field2
dropdown is hidden until field1
value is selected using depends attribute i.e. depends="$field1$"
<input type="dropdown" token="field1" searchWhenChanged="true">
<label>field1</label>
<fieldForLabel>fields</fieldForLabel>
<fieldForValue>values</fieldForValue>
<search>
<query>| makeresults
| fields - _*
| eval field1="value1", field2="value2", field3="value3"
| transpose column_name=fields
| rename "row 1" as values</query>
</search>
</input>
<input type="dropdown" token="field2" searchWhenChanged="true" depends="$field1$">
<label>field2</label>
<fieldForLabel>fields</fieldForLabel>
<fieldForValue>values</fieldForValue>
<search>
<query>| makeresults
| fields - _*
| eval field1="value1", field2="value2", field3="value3"
| transpose column_name=fields
| rename "row 1" as values
| search values!="$field1$"</query>
</search>
</input>
Code for 2 dropdowns: