Dashboards & Visualizations

How to add all CSV file entries to search when ALL is selected in multiselect?

New Member

Hello
I have an Environment, Host and Source Type Multiselect boxes. I populate Environment from CSV file Host column. And then I populate Host box with Host column of CSV based on Environment type (selected from Environment box). Now I have * as default option in Host box. So I want to pass all Host names to search when * selected.

For example, when I select DEV from Environment box the Host Multiselect would be populated with DEV Host names (Host1, Host2, Host3. Host4). So when user picks * then I want to add Host1, Host2, Host3. Host4 to my dashboard panel search.

I have been trying to do something like this but couldn't figure our exact code.

index=temp_001 sourcetype=* [ inputlookup env_host_dfn | search Environment="DEV" | table Host | fields Host | rename Host as host | format  ]

the CSV file has two columns 'Environment ' and 'Host'

Please refer my code as below. Appreciate for your help.

DCPS Server Logs Dynamic Dashboard

<input type="time" token="time_token">
  <label>Select Time Range</label>
  <default>
    <earliest>-15m</earliest>
    <latest>now</latest>
  </default>
</input>
<input type="multiselect" token="env_tkn" searchWhenChanged="true">
  <label>Select one or multiple ENV/s</label>
  <choice value="*">*</choice>
  <search>
    <query>| inputlookup env_dfn | dedup Environment | sort Environment</query>
  </search>
  <fieldForLabel>Environment</fieldForLabel>
  <fieldForValue>Environment</fieldForValue>
  <valuePrefix>"</valuePrefix>
  <valueSuffix>"</valueSuffix>
  <delimiter> OR Environment=</delimiter>
</input>
<input type="multiselect" token="selected_host" searchWhenChanged="true">
  <label>Select one or multiple Host/s</label>
  <choice value="*">*</choice>
  <search>
    <query>| inputlookup env_host_dfn | table Environment Host | search Environment=$env_tkn$ | dedup Host | table Host | sort Host</query>
    <earliest>0</earliest>
  </search>
  <fieldForLabel>Host</fieldForLabel>
  <fieldForValue>Host</fieldForValue>
  <delimiter> OR host=</delimiter>
</input>
<input type="multiselect" token="source_type" searchWhenChanged="false">
  <label>Select one or multiple Source Type/s</label>
  <search>
    <query>index=temptesting_007 host =$selected_host$ | stats count by sourcetype | sort limit=100 sourcetype</query>
    <earliest>0</earliest>
  </search>
  <fieldForLabel>sourcetype</fieldForLabel>
  <fieldForValue>sourcetype</fieldForValue>
  <delimiter> OR sourcetype=</delimiter>
  <choice value="*">*</choice>
</input>
<input type="text" token="extra_tkn">
  <label>Add additional search string (optional)</label>
  <default>*</default>
</input>


  <panel>
  <table>
    <title>Stats by Host and Source Type</title>
    <search>
      <query>index=temptesting_007 host =$selected_host$ sourcetype =$source_type$  AND $extra_tkn$ | stats count by host sourcetype</query>
      <earliest>$time_token.earliest$</earliest>
      <latest>$time_token.latest$</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>


<panel>
  <table>
    <title>Timechart by Sourcetype</title>
    <search>
      <query>index=temptesting_007 host =$selected_host$ sourcetype =$source_type$  AND $extra_tkn$ | timechart count by sourcetype</query>
      <earliest>$time_token.earliest$</earliest>
      <latest>$time_token.latest$</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Update your panel searches with this

index=temptesting_007 [ | inputlookup env_host_dfn | search (Environment=$env_tkn$) | rename Host as host | search host=$selected_host$  | table host | format  ] sourcetype =$source_type$  AND $extra_tkn$ 
|...rest of the search...

View solution in original post

Motivator

Try this,

Lookup, env_dfn.csv

Environment Host
DEV host1_dev
DEV host2_dev
DEV host3_dev
TEST    t_host1_dev
TEST    t_ host2_dev
TEST    t_host3_dev

Source:

<form>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="time_token">
      <label>Select Time Range</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="multiselect" token="env_tkn" searchWhenChanged="true">
      <label>Select one or multiple ENV/s</label>
      <choice value="*">All</choice>
      <search>
        <query>| inputlookup env_dfn.csv | dedup Environment | sort Environment</query>
      </search>
      <fieldForLabel>Environment</fieldForLabel>
      <fieldForValue>Environment</fieldForValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR Environment=</delimiter>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="multiselect" token="selected_host" searchWhenChanged="true">
      <label>Select one or multiple Host/s</label>
      <choice value="*">All</choice>
      <search>
        <query>| inputlookup env_dfn.csv | table Environment Host | search Environment=$env_tkn$ | dedup Host | table Host | sort Host</query>
        <earliest>0</earliest>
      </search>
      <fieldForLabel>Host</fieldForLabel>
      <fieldForValue>Host</fieldForValue>
      <delimiter> OR host=</delimiter>
      <default>*</default>
      <initialValue>*</initialValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
    </input>
    <input type="multiselect" token="source_type" searchWhenChanged="true">
      <label>Select one or multiple Source Type/s</label>
      <search>
        <query>index=temptesting_007 [| inputlookup env_dfn.csv | rename Host as host | search Environment=$env_tkn$ (host=$selected_host$) | stats c by host  |table host | format]| stats count by sourcetype | sort limit=100 sourcetype</query>
        <earliest>0</earliest>
      </search>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <delimiter> OR sourcetype=</delimiter>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="extra_tkn" searchWhenChanged="true">
      <label>Add additional search string (optional)</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Stats by Host and Source Type</title>
        <search>
          <query>index=temptesting_007 host=$selected_host$ sourcetype =$source_type$  AND $extra_tkn$ | stats count by host sourcetype</query>
          <earliest>$time_token.earliest$</earliest>
          <latest>$time_token.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Timechart by Sourcetype</title>
        <search>
          <query>index=temptesting_007 host=$selected_host$ sourcetype =$source_type$  AND $extra_tkn$ | timechart count by sourcetype</query>
          <earliest>$time_token.earliest$</earliest>
          <latest>$time_token.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

SplunkTrust
SplunkTrust

Update your panel searches with this

index=temptesting_007 [ | inputlookup env_host_dfn | search (Environment=$env_tkn$) | rename Host as host | search host=$selected_host$  | table host | format  ] sourcetype =$source_type$  AND $extra_tkn$ 
|...rest of the search...

View solution in original post

New Member

Wow, You made my day. It is perfectly working the way I wanted.

Thanks a lot.

0 Karma