Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to retrieve the correct populating for different choice values in dropdown box

edwinmae
Path Finder
‎04-01-2016 05:21 AM

We have 2 Data Centers: US and UK
Let's say we have 10 servers per Data Center

Now when I use the 'setup' below, I am able to retrieve all the servers and all the US servers as the US servers have the letter 'C' in their hostname. Unfortunately the servers in the US don't have a letter or something else that clearly differentiates them from the UK servers.

The only logical way would be to sort them on bases of the IP address (as US and UK have different IP ranges). Unfortunately I didn't succeed with that and I am bit stucked. (although the populating query gives me, however, the hostnames and IP addresses)

Is there a way to have the choice values, using IP Addresses and/or using some search per choice value?

<fieldset submitButton="true" autoRun="true">
    <input type="dropdown" token="sourceHost">
      <label>Data Center</label>
      <choice value="*?*">UK</choice>
      <choice value="*C*">US</choice>
      <choice value="*">ALL</choice>
      <populatingSearch fieldForLabel="ALL" fieldForValue="*">index=_internal source=*metrics.log group=tcpin_connections   | eval sourceHost=if(isnull(hostname), sourceHost,hostname)   | fields sourceIp sourceHost | table sourceHost sourceIp</populatingSearch>

Thanks in advance for any help with this!

0 Karma
Reply

somesoni2
Revered Legend
‎04-01-2016 09:23 AM

Try something like this

Assuming the value is to be used with field hostname (hostname=$sourceHost$)

 <fieldset submitButton="true" autoRun="true">
     <input type="dropdown" token="sourceHost">
       <label>Data Center</label>
       <choice value="NOT hostname=*C*">UK</choice>
       <choice value="hostname=*C*">US</choice>
       <choice value="hostname=*">ALL</choice>
       <default>ALL</default>
       <populatingSearch fieldForLabel="sourceHostVal" fieldForValue="sourceHost">index=_internal source=*metrics.log group=tcpin_connections   | eval sourceHost=if(isnull(hostname), sourceHost,hostname)   | stats count by sourceHost | table sourceHost | eval sourceHostVal="hostname=".sourceHost </populatingSearch>
0 Karma
Reply

edwinmae
Path Finder
‎04-04-2016 03:57 AM

I am version using 6.1

0 Karma
Reply

edwinmae
Path Finder
‎04-03-2016 11:54 PM

-- It sounded too good to be true --

1
I have one dashboard where I retrieve all the servers separately -- that works fine

 Populating search:   index="perfmon" | dedup host

2
For the second dashboard I want to have 3 groups:
1) all servers for the UK
2) all servers for the US
3) all the servers for the UK and the US.

This means that I only want to see UK, US and ALL in the drop-down box and not the individual servers. My current setup works for 3) ALL and 2) the US, but not for the UK as explained in my first mail.

In your setup I get the individual servers listed in the drop-down box (as well) and neither the UK, US and ALL works (anymore). Also the individual servers don't work

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side.

I tried different combinations but in the end the US and ALL throw the above 'Error' and UK says No results found.

I like the idea of listing all servers that don't have a the letter 'C' in the hostname as it should probably be the easiest way, assuming it's possible somehow to use NOT or !=

Please advise

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...