Dashboards & Visualizations

How to add all CSV file entries to search when ALL is selected in multiselect?

sanjeevt
Explorer

Hello
I have an Environment, Host and Source Type Multiselect boxes. I populate Environment from CSV file Host column. And then I populate Host box with Host column of CSV based on Environment type (selected from Environment box). Now I have * as default option in Host box. So I want to pass all Host names to search when * selected.

For example, when I select DEV from Environment box the Host Multiselect would be populated with DEV Host names (Host1, Host2, Host3. Host4). So when user picks * then I want to add Host1, Host2, Host3. Host4 to my dashboard panel search.

I have been trying to do something like this but couldn't figure our exact code.

index=temp_001 sourcetype=* [ inputlookup env_host_dfn | search Environment="DEV" | table Host | fields Host | rename Host as host | format  ]

the CSV file has two columns 'Environment ' and 'Host'

Please refer my code as below. Appreciate for your help.

DCPS Server Logs Dynamic Dashboard

<input type="time" token="time_token">
  <label>Select Time Range</label>
  <default>
    <earliest>-15m</earliest>
    <latest>now</latest>
  </default>
</input>
<input type="multiselect" token="env_tkn" searchWhenChanged="true">
  <label>Select one or multiple ENV/s</label>
  <choice value="*">*</choice>
  <search>
    <query>| inputlookup env_dfn | dedup Environment | sort Environment</query>
  </search>
  <fieldForLabel>Environment</fieldForLabel>
  <fieldForValue>Environment</fieldForValue>
  <valuePrefix>"</valuePrefix>
  <valueSuffix>"</valueSuffix>
  <delimiter> OR Environment=</delimiter>
</input>
<input type="multiselect" token="selected_host" searchWhenChanged="true">
  <label>Select one or multiple Host/s</label>
  <choice value="*">*</choice>
  <search>
    <query>| inputlookup env_host_dfn | table Environment Host | search Environment=$env_tkn$ | dedup Host | table Host | sort Host</query>
    <earliest>0</earliest>
  </search>
  <fieldForLabel>Host</fieldForLabel>
  <fieldForValue>Host</fieldForValue>
  <delimiter> OR host=</delimiter>
</input>
<input type="multiselect" token="source_type" searchWhenChanged="false">
  <label>Select one or multiple Source Type/s</label>
  <search>
    <query>index=temptesting_007 host =$selected_host$ | stats count by sourcetype | sort limit=100 sourcetype</query>
    <earliest>0</earliest>
  </search>
  <fieldForLabel>sourcetype</fieldForLabel>
  <fieldForValue>sourcetype</fieldForValue>
  <delimiter> OR sourcetype=</delimiter>
  <choice value="*">*</choice>
</input>
<input type="text" token="extra_tkn">
  <label>Add additional search string (optional)</label>
  <default>*</default>
</input>


  <panel>
  <table>
    <title>Stats by Host and Source Type</title>
    <search>
      <query>index=temptesting_007 host =$selected_host$ sourcetype =$source_type$  AND $extra_tkn$ | stats count by host sourcetype</query>
      <earliest>$time_token.earliest$</earliest>
      <latest>$time_token.latest$</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>


<panel>
  <table>
    <title>Timechart by Sourcetype</title>
    <search>
      <query>index=temptesting_007 host =$selected_host$ sourcetype =$source_type$  AND $extra_tkn$ | timechart count by sourcetype</query>
      <earliest>$time_token.earliest$</earliest>
      <latest>$time_token.latest$</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>
0 Karma
1 Solution

somesoni2
Revered Legend

Update your panel searches with this

index=temptesting_007 [ | inputlookup env_host_dfn | search (Environment=$env_tkn$) | rename Host as host | search host=$selected_host$  | table host | format  ] sourcetype =$source_type$  AND $extra_tkn$ 
|...rest of the search...

View solution in original post

vasanthmss
Motivator

Try this,

Lookup, env_dfn.csv

Environment Host
DEV host1_dev
DEV host2_dev
DEV host3_dev
TEST    t_host1_dev
TEST    t_ host2_dev
TEST    t_host3_dev

Source:

<form>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="time_token">
      <label>Select Time Range</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="multiselect" token="env_tkn" searchWhenChanged="true">
      <label>Select one or multiple ENV/s</label>
      <choice value="*">All</choice>
      <search>
        <query>| inputlookup env_dfn.csv | dedup Environment | sort Environment</query>
      </search>
      <fieldForLabel>Environment</fieldForLabel>
      <fieldForValue>Environment</fieldForValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR Environment=</delimiter>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="multiselect" token="selected_host" searchWhenChanged="true">
      <label>Select one or multiple Host/s</label>
      <choice value="*">All</choice>
      <search>
        <query>| inputlookup env_dfn.csv | table Environment Host | search Environment=$env_tkn$ | dedup Host | table Host | sort Host</query>
        <earliest>0</earliest>
      </search>
      <fieldForLabel>Host</fieldForLabel>
      <fieldForValue>Host</fieldForValue>
      <delimiter> OR host=</delimiter>
      <default>*</default>
      <initialValue>*</initialValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
    </input>
    <input type="multiselect" token="source_type" searchWhenChanged="true">
      <label>Select one or multiple Source Type/s</label>
      <search>
        <query>index=temptesting_007 [| inputlookup env_dfn.csv | rename Host as host | search Environment=$env_tkn$ (host=$selected_host$) | stats c by host  |table host | format]| stats count by sourcetype | sort limit=100 sourcetype</query>
        <earliest>0</earliest>
      </search>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <delimiter> OR sourcetype=</delimiter>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="extra_tkn" searchWhenChanged="true">
      <label>Add additional search string (optional)</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Stats by Host and Source Type</title>
        <search>
          <query>index=temptesting_007 host=$selected_host$ sourcetype =$source_type$  AND $extra_tkn$ | stats count by host sourcetype</query>
          <earliest>$time_token.earliest$</earliest>
          <latest>$time_token.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Timechart by Sourcetype</title>
        <search>
          <query>index=temptesting_007 host=$selected_host$ sourcetype =$source_type$  AND $extra_tkn$ | timechart count by sourcetype</query>
          <earliest>$time_token.earliest$</earliest>
          <latest>$time_token.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>
V

somesoni2
Revered Legend

Update your panel searches with this

index=temptesting_007 [ | inputlookup env_host_dfn | search (Environment=$env_tkn$) | rename Host as host | search host=$selected_host$  | table host | format  ] sourcetype =$source_type$  AND $extra_tkn$ 
|...rest of the search...

sanjeevt
Explorer

Wow, You made my day. It is perfectly working the way I wanted.

Thanks a lot.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...