Hello
I have an Environment, Host and Source Type Multiselect boxes. I populate Environment from CSV file Host column. And then I populate Host box with Host column of CSV based on Environment type (selected from Environment box). Now I have *
as default option in Host box. So I want to pass all Host names to search when *
selected.
For example, when I select DEV from Environment box the Host Multiselect would be populated with DEV Host names (Host1, Host2, Host3. Host4). So when user picks *
then I want to add Host1, Host2, Host3. Host4 to my dashboard panel search.
I have been trying to do something like this but couldn't figure our exact code.
index=temp_001 sourcetype=* [ inputlookup env_host_dfn | search Environment="DEV" | table Host | fields Host | rename Host as host | format ]
the CSV file has two columns 'Environment ' and 'Host'
Please refer my code as below. Appreciate for your help.
DCPS Server Logs Dynamic Dashboard
<input type="time" token="time_token">
<label>Select Time Range</label>
<default>
<earliest>-15m</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="env_tkn" searchWhenChanged="true">
<label>Select one or multiple ENV/s</label>
<choice value="*">*</choice>
<search>
<query>| inputlookup env_dfn | dedup Environment | sort Environment</query>
</search>
<fieldForLabel>Environment</fieldForLabel>
<fieldForValue>Environment</fieldForValue>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR Environment=</delimiter>
</input>
<input type="multiselect" token="selected_host" searchWhenChanged="true">
<label>Select one or multiple Host/s</label>
<choice value="*">*</choice>
<search>
<query>| inputlookup env_host_dfn | table Environment Host | search Environment=$env_tkn$ | dedup Host | table Host | sort Host</query>
<earliest>0</earliest>
</search>
<fieldForLabel>Host</fieldForLabel>
<fieldForValue>Host</fieldForValue>
<delimiter> OR host=</delimiter>
</input>
<input type="multiselect" token="source_type" searchWhenChanged="false">
<label>Select one or multiple Source Type/s</label>
<search>
<query>index=temptesting_007 host =$selected_host$ | stats count by sourcetype | sort limit=100 sourcetype</query>
<earliest>0</earliest>
</search>
<fieldForLabel>sourcetype</fieldForLabel>
<fieldForValue>sourcetype</fieldForValue>
<delimiter> OR sourcetype=</delimiter>
<choice value="*">*</choice>
</input>
<input type="text" token="extra_tkn">
<label>Add additional search string (optional)</label>
<default>*</default>
</input>
<panel>
<table>
<title>Stats by Host and Source Type</title>
<search>
<query>index=temptesting_007 host =$selected_host$ sourcetype =$source_type$ AND $extra_tkn$ | stats count by host sourcetype</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>
<panel>
<table>
<title>Timechart by Sourcetype</title>
<search>
<query>index=temptesting_007 host =$selected_host$ sourcetype =$source_type$ AND $extra_tkn$ | timechart count by sourcetype</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>
Update your panel searches with this
index=temptesting_007 [ | inputlookup env_host_dfn | search (Environment=$env_tkn$) | rename Host as host | search host=$selected_host$ | table host | format ] sourcetype =$source_type$ AND $extra_tkn$
|...rest of the search...
Try this,
Lookup, env_dfn.csv
Environment Host
DEV host1_dev
DEV host2_dev
DEV host3_dev
TEST t_host1_dev
TEST t_ host2_dev
TEST t_host3_dev
Source:
<form>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="time_token">
<label>Select Time Range</label>
<default>
<earliest>-15m</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="env_tkn" searchWhenChanged="true">
<label>Select one or multiple ENV/s</label>
<choice value="*">All</choice>
<search>
<query>| inputlookup env_dfn.csv | dedup Environment | sort Environment</query>
</search>
<fieldForLabel>Environment</fieldForLabel>
<fieldForValue>Environment</fieldForValue>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR Environment=</delimiter>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="multiselect" token="selected_host" searchWhenChanged="true">
<label>Select one or multiple Host/s</label>
<choice value="*">All</choice>
<search>
<query>| inputlookup env_dfn.csv | table Environment Host | search Environment=$env_tkn$ | dedup Host | table Host | sort Host</query>
<earliest>0</earliest>
</search>
<fieldForLabel>Host</fieldForLabel>
<fieldForValue>Host</fieldForValue>
<delimiter> OR host=</delimiter>
<default>*</default>
<initialValue>*</initialValue>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
<input type="multiselect" token="source_type" searchWhenChanged="true">
<label>Select one or multiple Source Type/s</label>
<search>
<query>index=temptesting_007 [| inputlookup env_dfn.csv | rename Host as host | search Environment=$env_tkn$ (host=$selected_host$) | stats c by host |table host | format]| stats count by sourcetype | sort limit=100 sourcetype</query>
<earliest>0</earliest>
</search>
<fieldForLabel>sourcetype</fieldForLabel>
<fieldForValue>sourcetype</fieldForValue>
<delimiter> OR sourcetype=</delimiter>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="text" token="extra_tkn" searchWhenChanged="true">
<label>Add additional search string (optional)</label>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Stats by Host and Source Type</title>
<search>
<query>index=temptesting_007 host=$selected_host$ sourcetype =$source_type$ AND $extra_tkn$ | stats count by host sourcetype</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>
<panel>
<table>
<title>Timechart by Sourcetype</title>
<search>
<query>index=temptesting_007 host=$selected_host$ sourcetype =$source_type$ AND $extra_tkn$ | timechart count by sourcetype</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>
</row>
</form>
Update your panel searches with this
index=temptesting_007 [ | inputlookup env_host_dfn | search (Environment=$env_tkn$) | rename Host as host | search host=$selected_host$ | table host | format ] sourcetype =$source_type$ AND $extra_tkn$
|...rest of the search...
Wow, You made my day. It is perfectly working the way I wanted.
Thanks a lot.