I have two dropdowns
Dropdown one:
Groups all the status codes, which will display "Client Error" OR "Server Error"
Dropdown two:
Is auto-populated depending on Dropdown one.
For example:
If Client Error is selected in Dropdown one, Dropdown two will have options like 404,401,405, etc. My default value is * (ALL) but, when it is passed to the search it is searching all the values with other than Client Error.
I can group eval a group in all the searches, but I don't want to do that.
The only other way is to pass all the value that is dynamically populated file to search with OR delimiter.
Just to make it clear if Dropdown1: Client error
and Dropdown 2: 400
404
406
Search should look like something like this: host=* statuscode= 400 OR 404 OR 406 | stats count by statuscode.
<input type="dropdown" token="status" searchWhenChanged="true">
<label>Select response status code:</label>
<choice value="*">ALL</choice>
<change>
<condition label="ALL">
<set token="status">$value$</set>
</condition>
</change>
<fieldForLabel>s</fieldForLabel>
<fieldForValue>s</fieldForValue>
<search>
<query>index=XXX "app"=D forwApp=$App$ host=$host$
| rename resStatus as s
| eval Tstatus=case(like(s, "1%"),"Informational",like(s, "2%"),"Success",like(s, "3%"),"Redirection",like(s, "4%"),"Client Error",like(s, "5%"),"Server Error")
| search Tstatus="$field3$"
| dedup s</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="field3" searchWhenChanged="true">
<label>Select response status:</label>
<choice value="*">ALL</choice>
<fieldForLabel>status</fieldForLabel>
<fieldForValue>status</fieldForValue>
<search>
<query>index=XXX "app"=D forwApp=$App$ host=$host$
| rename resStatus as s
| eval status=case(like(s, "1%"),"Informational",like(s, "2%"),"Success",like(s, "3%"),"Redirection",like(s, "4%"),"Client Error",like(s, "5%"),"Server Error")
| dedup status</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<default>*</default>
<initialValue>*</initialValue>
</input>
That is the code I'm using.
Thanks for your time!
If i understand your query right, you don't want to use * but you want to explicitly specify values like val1 OR val2 etc
To do this you'll have to add a few lines(lines 6 - 12) to the end of the query as shown here
index=XXX "app"=D forwApp=$App$ host=$host$
| rename resStatus as s
| eval Tstatus=case(like(s, "1%"),"Informational",like(s, "2%"),"Success",like(s, "3%"),"Redirection",like(s, "4%"),"Client Error",like(s, "5%"),"Server Error")
| search Tstatus="$field3$"
| dedup s
| rename s as search
| appendpipe
[| format]
| rename search as label
| eval value=label
| eval label=if(match(label,"OR"), "ALL", label), sortord=if(label=="ALL", 0, value)
| sort sortord
The sortord is just there to ensure that ALL appears first on the list. you can omit that if you don't need it.
Your input will just have the following.
<input type="dropdown" token="status" searchWhenChanged="true">
<label>Select response status code:</label>
<fieldForLabel>s</fieldForLabel>
<fieldForValue>s</fieldForValue>
<search>
<query>index=XXX "app"=D forwApp=$App$ host=$host$
| rename resStatus as s
| eval Tstatus=case(like(s, "1%"),"Informational",like(s, "2%"),"Success",like(s, "3%"),"Redirection",like(s, "4%"),"Client Error",like(s, "5%"),"Server Error")
| search Tstatus="$field3$"
| dedup s
| rename s as search
| appendpipe
[| format]
| rename search as label
| eval value=label
| eval label=if(match(label,"OR"), "ALL", label), sortord=if(label=="ALL", 0, value)
| sort sortord</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
</input>
Note: This will only work if your search has any results. IF not, your input will never populate
Hope this helps
Cheers!
Do it like this:
...
<fieldset autoRun="false" submitButton="true">
<input type="dropdown" token="statuscodeToken" searchWhenChanged="false">
<label>Select an Application:</label>
<prefix>statuscode IN(</prefix>
<suffix>)</suffix>
<choice value="400, 404, 406">All</choice>
<fieldForLabel>label</fieldForLabel>
<fieldForValue>value</fieldForValue>
<search>
<query>| inputlookup YourLookupHere.csv | rename YourFieldHere AS label | eval value = label</query>
<earliest>-1s</earliest>
<latest>now</latest>
</search>
...
Then, in your search, just do like this:
index=YouShouldAlwaysSpecifyAnIndex sourcetype=AndSourcdetypeToo $statuscodeToken$
@woodcock thanks for your response, I just updated my question with the code I'm using can you update your answer with that code, please.
Thanks!