Dashboards & Visualizations

How to add all CSV file entries to search when ALL is selected in multiselect?

New Member

Hello
I have an Environment, Host and Source Type Multiselect boxes. I populate Environment from CSV file Host column. And then I populate Host box with Host column of CSV based on Environment type (selected from Environment box). Now I have * as default option in Host box. So I want to pass all Host names to search when * selected.

For example, when I select DEV from Environment box the Host Multiselect would be populated with DEV Host names (Host1, Host2, Host3. Host4). So when user picks * then I want to add Host1, Host2, Host3. Host4 to my dashboard panel search.

I have been trying to do something like this but couldn't figure our exact code.

index=temp_001 sourcetype=* [ inputlookup env_host_dfn | search Environment="DEV" | table Host | fields Host | rename Host as host | format  ]

the CSV file has two columns 'Environment ' and 'Host'

Please refer my code as below. Appreciate for your help.

DCPS Server Logs Dynamic Dashboard

<input type="time" token="time_token">
  <label>Select Time Range</label>
  <default>
    <earliest>-15m</earliest>
    <latest>now</latest>
  </default>
</input>
<input type="multiselect" token="env_tkn" searchWhenChanged="true">
  <label>Select one or multiple ENV/s</label>
  <choice value="*">*</choice>
  <search>
    <query>| inputlookup env_dfn | dedup Environment | sort Environment</query>
  </search>
  <fieldForLabel>Environment</fieldForLabel>
  <fieldForValue>Environment</fieldForValue>
  <valuePrefix>"</valuePrefix>
  <valueSuffix>"</valueSuffix>
  <delimiter> OR Environment=</delimiter>
</input>
<input type="multiselect" token="selected_host" searchWhenChanged="true">
  <label>Select one or multiple Host/s</label>
  <choice value="*">*</choice>
  <search>
    <query>| inputlookup env_host_dfn | table Environment Host | search Environment=$env_tkn$ | dedup Host | table Host | sort Host</query>
    <earliest>0</earliest>
  </search>
  <fieldForLabel>Host</fieldForLabel>
  <fieldForValue>Host</fieldForValue>
  <delimiter> OR host=</delimiter>
</input>
<input type="multiselect" token="source_type" searchWhenChanged="false">
  <label>Select one or multiple Source Type/s</label>
  <search>
    <query>index=temptesting_007 host =$selected_host$ | stats count by sourcetype | sort limit=100 sourcetype</query>
    <earliest>0</earliest>
  </search>
  <fieldForLabel>sourcetype</fieldForLabel>
  <fieldForValue>sourcetype</fieldForValue>
  <delimiter> OR sourcetype=</delimiter>
  <choice value="*">*</choice>
</input>
<input type="text" token="extra_tkn">
  <label>Add additional search string (optional)</label>
  <default>*</default>
</input>


  <panel>
  <table>
    <title>Stats by Host and Source Type</title>
    <search>
      <query>index=temptesting_007 host =$selected_host$ sourcetype =$source_type$  AND $extra_tkn$ | stats count by host sourcetype</query>
      <earliest>$time_token.earliest$</earliest>
      <latest>$time_token.latest$</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>


<panel>
  <table>
    <title>Timechart by Sourcetype</title>
    <search>
      <query>index=temptesting_007 host =$selected_host$ sourcetype =$source_type$  AND $extra_tkn$ | timechart count by sourcetype</query>
      <earliest>$time_token.earliest$</earliest>
      <latest>$time_token.latest$</latest>
    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>
0 Karma
1 Solution

Revered Legend

Update your panel searches with this

index=temptesting_007 [ | inputlookup env_host_dfn | search (Environment=$env_tkn$) | rename Host as host | search host=$selected_host$  | table host | format  ] sourcetype =$source_type$  AND $extra_tkn$ 
|...rest of the search...

View solution in original post

Motivator

Try this,

Lookup, env_dfn.csv

Environment Host
DEV host1_dev
DEV host2_dev
DEV host3_dev
TEST    t_host1_dev
TEST    t_ host2_dev
TEST    t_host3_dev

Source:

<form>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="time_token">
      <label>Select Time Range</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="multiselect" token="env_tkn" searchWhenChanged="true">
      <label>Select one or multiple ENV/s</label>
      <choice value="*">All</choice>
      <search>
        <query>| inputlookup env_dfn.csv | dedup Environment | sort Environment</query>
      </search>
      <fieldForLabel>Environment</fieldForLabel>
      <fieldForValue>Environment</fieldForValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR Environment=</delimiter>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="multiselect" token="selected_host" searchWhenChanged="true">
      <label>Select one or multiple Host/s</label>
      <choice value="*">All</choice>
      <search>
        <query>| inputlookup env_dfn.csv | table Environment Host | search Environment=$env_tkn$ | dedup Host | table Host | sort Host</query>
        <earliest>0</earliest>
      </search>
      <fieldForLabel>Host</fieldForLabel>
      <fieldForValue>Host</fieldForValue>
      <delimiter> OR host=</delimiter>
      <default>*</default>
      <initialValue>*</initialValue>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
    </input>
    <input type="multiselect" token="source_type" searchWhenChanged="true">
      <label>Select one or multiple Source Type/s</label>
      <search>
        <query>index=temptesting_007 [| inputlookup env_dfn.csv | rename Host as host | search Environment=$env_tkn$ (host=$selected_host$) | stats c by host  |table host | format]| stats count by sourcetype | sort limit=100 sourcetype</query>
        <earliest>0</earliest>
      </search>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <delimiter> OR sourcetype=</delimiter>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="extra_tkn" searchWhenChanged="true">
      <label>Add additional search string (optional)</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Stats by Host and Source Type</title>
        <search>
          <query>index=temptesting_007 host=$selected_host$ sourcetype =$source_type$  AND $extra_tkn$ | stats count by host sourcetype</query>
          <earliest>$time_token.earliest$</earliest>
          <latest>$time_token.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Timechart by Sourcetype</title>
        <search>
          <query>index=temptesting_007 host=$selected_host$ sourcetype =$source_type$  AND $extra_tkn$ | timechart count by sourcetype</query>
          <earliest>$time_token.earliest$</earliest>
          <latest>$time_token.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

Revered Legend

Update your panel searches with this

index=temptesting_007 [ | inputlookup env_host_dfn | search (Environment=$env_tkn$) | rename Host as host | search host=$selected_host$  | table host | format  ] sourcetype =$source_type$  AND $extra_tkn$ 
|...rest of the search...

View solution in original post

New Member

Wow, You made my day. It is perfectly working the way I wanted.

Thanks a lot.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!