Dashboards & Visualizations

How to add all CSV file entries to search when ALL is selected in multiselect?

sanjeevt
Explorer

Hello
I have an Environment, Host and Source Type Multiselect boxes. I populate Environment from CSV file Host column. And then I populate Host box with Host column of CSV based on Environment type (selected from Environment box). Now I have * as default option in Host box. So I want to pass all Host names to search when * selected.

For example, when I select DEV from Environment box the Host Multiselect would be populated with DEV Host names (Host1, Host2, Host3. Host4). So when user picks * then I want to add Host1, Host2, Host3. Host4 to my dashboard panel search.

I have been trying to do something like this but couldn't figure our exact code.

index=temp_001 sourcetype=* [ inputlookup env_host_dfn | search Environment="DEV" | table Host | fields Host | rename Host as host | format  ]

the CSV file has two columns 'Environment ' and 'Host'

Please refer my code as below. Appreciate for your help.

DCPS Server Logs Dynamic Dashboard

<input type="time" token="time_token">
  <label>Select Time Range</label>
  <default>
    <earliest>-15m</earliest>
    <latest>now</latest>
  </default>
</input>
<input type="multiselect" token="env_tkn" searchWhenChanged="true">
  <label>Select one or multiple ENV/s</label>
  <choice value="*">*</choice>
  <search>
    <query>| inputlookup env_dfn | dedup Environment | sort Environment</query>
  </search>
  <fieldForLabel>Environment</fieldForLabel>
  <fieldForValue>Environment</fieldForValue>
  <valuePrefix>"</valuePrefix>
  <valueSuffix>"</valueSuffix>
  <delimiter> OR Environment=</delimiter>
</input>
<input type="multiselect" token="selected_host" searchWhenChanged="true">
  <label>Select one or multiple Host/s</label>
  <choice value="*">*</choice>
  <search>
    <query>| inputlookup env_host_dfn | table Environment Host | search Environment=$env_tkn$ | dedup Host | table Host | sort Host</query>
    <earliest>0</earliest>
  </search>
  <fieldForLabel>Host</fieldForLabel>
  <fieldForValue>Host</fieldForValue>
  <delimiter> OR host=</delimiter>
</input>
<input type="multiselect" token="source_type" searchWhenChanged="false">
  <label>Select one or multiple Source Type/s</label>
  <search>
    <query>index=temptesting_007 host =$selected_host$ | stats count by sourcetype | sort limit=100 sourcetype</query>
    <earliest>0</earliest>
  </search>
  <fieldForLabel>sourcetype</fieldForLabel>
  <fieldForValue>sourcetype</fieldForValue>
  <delimiter> OR sourcetype=</delimiter>
  <choice value="*">*</choice>
</input>
<input type="text" token="extra_tkn">
  <label>Add additional search string (optional)</label>
  <default>*</default>
</input>


  <panel>
  <table>
    <title>Stats by Host and Source Type</title>
    <search>
      <query>index=temptesting_007 host =$selected_host$ sourcetype =$source_type$  AND $extra_tkn$ | stats count by host sourcetype</query>
      <earliest>$time_token.earliest$</earliest>
      <latest>$time_token.latest$</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>


<panel>
  <table>
    <title>Timechart by Sourcetype</title>
    <search>
      <query>index=temptesting_007 host =$selected_host$ sourcetype =$source_type$  AND $extra_tkn$ | timechart count by sourcetype</query>
      <earliest>$time_token.earliest$</earliest>
      <latest>$time_token.latest$</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>
0 Karma
1 Solution

somesoni2
Revered Legend

Update your panel searches with this

index=temptesting_007 [ | inputlookup env_host_dfn | search (Environment=$env_tkn$) | rename Host as host | search host=$selected_host$  | table host | format  ] sourcetype =$source_type$  AND $extra_tkn$ 
|...rest of the search...

View solution in original post

vasanthmss
Motivator

Try this,

Lookup, env_dfn.csv

Environment Host
DEV host1_dev
DEV host2_dev
DEV host3_dev
TEST    t_host1_dev
TEST    t_ host2_dev
TEST    t_host3_dev

Source:

<form>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="time_token">
      <label>Select Time Range</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="multiselect" token="env_tkn" searchWhenChanged="true">
      <label>Select one or multiple ENV/s</label>
      <choice value="*">All</choice>
      <search>
        <query>| inputlookup env_dfn.csv | dedup Environment | sort Environment</query>
      </search>
      <fieldForLabel>Environment</fieldForLabel>
      <fieldForValue>Environment</fieldForValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR Environment=</delimiter>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="multiselect" token="selected_host" searchWhenChanged="true">
      <label>Select one or multiple Host/s</label>
      <choice value="*">All</choice>
      <search>
        <query>| inputlookup env_dfn.csv | table Environment Host | search Environment=$env_tkn$ | dedup Host | table Host | sort Host</query>
        <earliest>0</earliest>
      </search>
      <fieldForLabel>Host</fieldForLabel>
      <fieldForValue>Host</fieldForValue>
      <delimiter> OR host=</delimiter>
      <default>*</default>
      <initialValue>*</initialValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
    </input>
    <input type="multiselect" token="source_type" searchWhenChanged="true">
      <label>Select one or multiple Source Type/s</label>
      <search>
        <query>index=temptesting_007 [| inputlookup env_dfn.csv | rename Host as host | search Environment=$env_tkn$ (host=$selected_host$) | stats c by host  |table host | format]| stats count by sourcetype | sort limit=100 sourcetype</query>
        <earliest>0</earliest>
      </search>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <delimiter> OR sourcetype=</delimiter>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="extra_tkn" searchWhenChanged="true">
      <label>Add additional search string (optional)</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Stats by Host and Source Type</title>
        <search>
          <query>index=temptesting_007 host=$selected_host$ sourcetype =$source_type$  AND $extra_tkn$ | stats count by host sourcetype</query>
          <earliest>$time_token.earliest$</earliest>
          <latest>$time_token.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Timechart by Sourcetype</title>
        <search>
          <query>index=temptesting_007 host=$selected_host$ sourcetype =$source_type$  AND $extra_tkn$ | timechart count by sourcetype</query>
          <earliest>$time_token.earliest$</earliest>
          <latest>$time_token.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>
V

somesoni2
Revered Legend

Update your panel searches with this

index=temptesting_007 [ | inputlookup env_host_dfn | search (Environment=$env_tkn$) | rename Host as host | search host=$selected_host$  | table host | format  ] sourcetype =$source_type$  AND $extra_tkn$ 
|...rest of the search...

sanjeevt
Explorer

Wow, You made my day. It is perfectly working the way I wanted.

Thanks a lot.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...