How to create Dependent Multiselect filter in Splu...

itnewbie · ‎08-15-2023

Hi I have a dashboard with multiple filters. I have a "customer" and "subsidiary" filter. I want the "customer" filter to display corresponding companies depending on the selection of "subsidiary" filter.

My query for the "customer" filter is as follow, currently it is showing all companies

index IN ("organization_a_company", "organization_b_company")
| dedup name
| fields name

For the "subsidiary" filter, it has a static input with

Name - Value
============
All - *
OrgA - OrgA
OrgB - OrgB

However, since the value of "subsidiary" is different from the actual index name. I need to perform eval case to map to corresponding indexes name. I tried something dynamic in "customer" filter like:

index IN ("organization_a", "organization_b")
| eval $sub$ = "OrgA" <- the $sub$ token should come from the "subsidiary" filter, I am just testing here
| eval filteredIndex = case($sub$ == "OrgA", "organization_a", $sub$ == "OrgB", "organization_b", 1=1, "organization_*")
| search index IN ($filteredIndex$)
| dedup name
| fields name

but it didn't give any results. I tried follow the example here by using $$ but still no luck. And I don't think I can put the eval before the search right? but how can I make the index dynamic then. Thanks

gcusello · ‎08-15-2023

Hi @itnewbie,

I'd use for the subsidiary search thre fixed values (token called "sub"):

All: index=OrgA,
OrgA: index=OrgB
OrgB: index=OrgA OR index=OrgB

Then I'd use as search for the Customers:

$sub$
| dedup name
| fields name

Ciao.

Giuseppe

How to create Dependent Multiselect filter in Splunk dashboard?

eval

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?