topic Re: i am reading from log file and have query to return all the host. can we include teh step to categories test/qa/prod in Dashboards & Visualizations

i am reading from log file and have query to return all the host. can we include teh step to categories test/qa/prod in

Jasmine — Wed, 10 Apr 2024 18:44:25 GMT

i am reading teh host from log file and have query to return all the host.

index=aaa source="/var/log/test1.log"|stats count by host

can we include teh step to categories test/qa/prod in the drop down list from the list of host returned in the query itself?(using wildcard if host has t then test /if host has q -qa server, etc?

but for now i am using static options

test - testhost

qa - qahost

prod - prodhost

Re: i am reading from log file and have query to return all the host. can we include teh step to categories test/qa/prod

bowesmana — Thu, 11 Apr 2024 00:24:36 GMT

You can use the populating search of the drop down to add dynamic options and do something like this to categorise the host type

index=aaa source="/var/log/test1.log" |stats count by host | eval category=case(match(host, "t"), "Test", match(host, "q"), "QA", match(host, "p"), "Prod", true(), "Unknown")

change the match statement regex as needed and the category you want to show.

category will be the <fieldForLabel> and then you need to make the <fieldForValue> to contain the value element you want for the token.

Re: i am reading from log file and have query to return all the host. can we include teh step to categories test/qa/prod

Jasmine — Fri, 12 Apr 2024 18:46:55 GMT

in QA and PROd i have 3 servers

test - testhost

qa - qahost1,qahost2,qahost3

prod - prodhost1,prodhost2,prodhost3

and my query would be for qa if i choose qa from dropdownlist

index=aaa(source="/var/log/tes1.log" (host=qahost1) OR (host=qahost2,) OR (host=qahost3) )

can you please help me integrate above one with below query?

index=aaa source="/var/log/test1.log" |stats count by host | eval category=case(match(host, "t"), "Test", match(host, "q"), "QA", match(host, "p"), "Prod", true(), "Unknown")

Re: i am reading from log file and have query to return all the host. can we include teh step to categories test/qa/prod

bowesmana — Mon, 15 Apr 2024 22:35:09 GMT

Here's a simple example

<form version="1.1"> <label>HostDropdown</label> <fieldset submitButton="false"> <input type="dropdown" token="hosts" searchWhenChanged="true"> <label>Host Types</label> <choice value="prodhost*">Production</choice> <choice value="qahost*">QA</choice> <choice value="testhost*">Test</choice> </input> </fieldset> <row> <panel> <table> <search> <query> index=aaa source="/var/log/test1.log" host=$hosts$ |stats count by host </query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>

I suggest you look at this and have a look through the documentation that describes this

https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML