Dashboards & Visualizations

How to retrieve the correct populating for different choice values in dropdown box

edwinmae
Path Finder

We have 2 Data Centers: US and UK
Let's say we have 10 servers per Data Center

Now when I use the 'setup' below, I am able to retrieve all the servers and all the US servers as the US servers have the letter 'C' in their hostname. Unfortunately the servers in the US don't have a letter or something else that clearly differentiates them from the UK servers.

The only logical way would be to sort them on bases of the IP address (as US and UK have different IP ranges). Unfortunately I didn't succeed with that and I am bit stucked. (although the populating query gives me, however, the hostnames and IP addresses)

Is there a way to have the choice values, using IP Addresses and/or using some search per choice value?


<fieldset submitButton="true" autoRun="true">
    <input type="dropdown" token="sourceHost">
      <label>Data Center</label>
      <choice value="*?*">UK</choice>
      <choice value="*C*">US</choice>
      <choice value="*">ALL</choice>
      <populatingSearch fieldForLabel="ALL" fieldForValue="*">index=_internal source=*metrics.log group=tcpin_connections   | eval sourceHost=if(isnull(hostname), sourceHost,hostname)   | fields sourceIp sourceHost | table sourceHost sourceIp</populatingSearch>

Thanks in advance for any help with this!

0 Karma

somesoni2
Revered Legend

Try something like this

Assuming the value is to be used with field hostname (hostname=$sourceHost$)

 <fieldset submitButton="true" autoRun="true">
     <input type="dropdown" token="sourceHost">
       <label>Data Center</label>
       <choice value="NOT hostname=*C*">UK</choice>
       <choice value="hostname=*C*">US</choice>
       <choice value="hostname=*">ALL</choice>
       <default>ALL</default>
       <populatingSearch fieldForLabel="sourceHostVal" fieldForValue="sourceHost">index=_internal source=*metrics.log group=tcpin_connections   | eval sourceHost=if(isnull(hostname), sourceHost,hostname)   | stats count by sourceHost | table sourceHost | eval sourceHostVal="hostname=".sourceHost </populatingSearch>
0 Karma

edwinmae
Path Finder

I am version using 6.1

0 Karma

edwinmae
Path Finder

-- It sounded too good to be true --

1
I have one dashboard where I retrieve all the servers separately -- that works fine

 Populating search:   index="perfmon" | dedup host

2
For the second dashboard I want to have 3 groups:
1) all servers for the UK
2) all servers for the US
3) all the servers for the UK and the US.

This means that I only want to see UK, US and ALL in the drop-down box and not the individual servers. My current setup works for 3) ALL and 2) the US, but not for the UK as explained in my first mail.

In your setup I get the individual servers listed in the drop-down box (as well) and neither the UK, US and ALL works (anymore). Also the individual servers don't work

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side.

I tried different combinations but in the end the US and ALL throw the above 'Error' and UK says No results found.

I like the idea of listing all servers that don't have a the letter 'C' in the hostname as it should probably be the easiest way, assuming it's possible somehow to use NOT or !=

Please advise

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...