Re: Drop-down not populating with right values bas...

nmohammed · ‎05-10-2016

I have two drop-downs: one for clientid and another one for the host. While I am running a regex real-time to pull the host field, as it is not extracted due to the log inputs being from a single shared location.

The host field should get populated based on the clientid selected in the first drop-down, also doesn't restore the defaults. I am attaching the XML.

Encompass Service Review Dashboard
Application and Infrastructure Performance

<input type="time" token="time" searchWhenChanged="false">
  <label>Select Time Range</label>
  <default>
    <earliestTime>-15m</earliestTime>
    <latestTime>now</latestTime>
  </default>
</input>
<input type="dropdown" token="clientid">
  <label>Select Client ID</label>
  <choice value="*">All</choice>
  <search>
    <query>| inputlookup clientid.csv | dedup clientid  | eval c = clientid+" - "+client_name | table c, clientid | sort c</query>
    <earliest>-1d@d</earliest>
    <latest>@d</latest>
  </search>
  <fieldForLabel>c</fieldForLabel>
  <fieldForValue>clientid</fieldForValue>
</input>
<input type="dropdown" token="span" searchWhenChanged="false">
  <label>Select Time Intervals</label>
  <choice value="5m">5 Minutes</choice>
  <choice value="15m">15 Minutes</choice>
  <choice value="30m">30 Minutes</choice>
  <choice value="1h">1 Hour</choice>
  <choice value="1d">1 Day</choice>
  <choice value="30d">1 Month</choice>
  <choice value="1m">1 Minute</choice>
  <choice value="30s">30 Seconds</choice>
  <choice value="1s">1 Second</choice>
</input>
<input type="dropdown" token="host" searchWhenChanged="true">
  <label>Server</label>
  <search>
    <query>index="e_logs" clientid=1111111  earliest=-1d@d  |  rex field=source "Server.[A-Za-z0-9]*.(?P<host>[^\.]+)"    | stats count by hostr</query>
    <earliest>0</earliest>
    <latest></latest>
  </search>
  <fieldForLabel>host</fieldForLabel>
  <fieldForValue>host</fieldForValue>
  <choice value="*">All</choice>
</input>


<panel>
  <chart>
    <title>CPU Utilization</title>
    <search>
      <query>index="perfmon" sourcetype="Perfmon:CPUTime" host=$host$ | bucket _time span=$span$ | timechart avg(Value)</query>
      <earliest>$time.earliest$</earliest>
      <latest>$time.latest$</latest>
    </search>
    <option name="charting.chart">column</option>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.showDataLabels">none</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">right</option>
  </chart>
</panel>
<panel>
  <chart>
    <title>Memory Utilization</title>
    <search>
      <query>index=perfmon sourcetype="Perfmon:Memory" counter="Committed Bytes" host=$host$ | eval AMB=Value/(1024*1024) |bucket _time span=$span$ | stats avg(AMB) as "Used(MB)" by _time | appendcols [search index=perfmon sourcetype="Perfmon:Memory" counter="Available MBytes" host=$host$ | bucket _time span=$span$ | stats avg(Value) as "AvailableMem(MB)" by _time] | table _time, AvailableMem(MB), Used(MB)</query>
      <earliest>$time.earliest$</earliest>
      <latest>$time.latest$</latest>
    </search>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">area</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.showDataLabels">none</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">right</option>
  </chart>
</panel>
<panel>

The second drop-down is the server field, which is not working. Based on this the :

  <label>Server</label>
  <search>
    <query>index="e_logs" clientid=111111  earliest=-1d@d  |  rex field=source "Server.[A-Za-z0-9]*.(?P<host>[^\.]+)"    | stats count by host</query>
    <earliest>0</earliest>
    <latest></latest>
  </search>
  <fieldForLabel>host</fieldForLabel>
  <fieldForValue>host</fieldForValue>
  <choice value="*">All</choice>
</input>


<panel>

The charts for CPU and Memory are based on this "host" field that gets populated in the drop-down. I am unable to get it dynamically passed in the CPU and Memory charts , as the perfmon data is from a different index and the host field is coming from a different index.

Please advise on this. Appreciate your help.!!!

gokadroid · ‎10-12-2016

There are two things:

1) In your original xml you have a typo in query, hostr rather than host

     index="e_logs" clientid=1111111  earliest=-1d@d  |  rex field=source "Server.[A-Za-z0-9]*.(?P[^\.]+)"    | stats count by hostr

2) In the second extract of xml for the second dropdown, even though the query is correct how is it supposed to change at runtime when you have hardcoded the clientid=111111 *. Can you change it to *$clientid$ the token that get passed on from the first dropdown.

So basically whatever is your token being passed from first search, I am taking it as $clientid$, use that in the search of second drop down:

 

index="e_logs" clientid=$clientid$ earliest=-1d@d  |  rex field=source "Server.[A-Za-z0-9]*.(?P[^.]+)"    | stats count by host

Drop-down not populating with right values based on 1st drop-down and doesn't restore to defaults

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

Drop-down not populating with right values based on 1st drop-down and doesn't restore to defaults

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine