In the dashboard, I have created three multi-select input fields.
CONTINENT, COUNTRY , STATE
Example : When I click on the CONTINENT drop down as "Asia", the COUNTRY drop down multiselect field automatically populates with asian coutries such as India, China, Japan etc... Now I select "India" in the COUNTRY field and STATE gets populated with Indian States such as Delhi, Goa etc... This works fine.
Say, for STATE the background spl running for the multiselect value population is something like this
index = $continent_token$ | host=$country_token$ | table STATE
The issue arises, when I select multiple values in any of the fields, then the next field doesn't populate any values. It only works when I select one field. Example : If I multi-select INDIA and CHINA under COUNTRY field then the STATES doen't populate anything. If i select only one, then only it populates.
Could anyone guide me on how to deal with this????
I want to be able to see the STATES of both INDIA and CHINA if I select (multiselect 2 countries) .
Just to add more clarification. In our system index value is CONTINENT, COUTRY is HOST and STATE is SourceType
So basically looking to select multiple hosts and then should able to see sourcetypes from all those hosts to be populated. Also to be able to select multiple indexes and the hosts of all those selected indices should come.
Thank you.
Hi @zacksoft, Use below multiselect token for country-
<input type="multiselect" token="host">
<label>select Country</label>
<fieldForLabel>Vehicle</fieldForLabel>
<fieldForValue>Vehicle</fieldForValue>
<search id="idSearchSelectIndex">
<query>your query</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<default></default>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>host="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
</input>
then use below query for state populaion-
index = $continent_token$ $host$ | table STATE
You can also use the IN component of search. When you have select multiple items in a multi-select dropdown, they are appended in a comma separated list.
Try the following.
index IN ($continent_token$) host IN ($country_token$)
Note also, you shouldn't have pipes in between search terms.
Hello,
Is a simple example to use multiselect, you can copy and past this example to have idea:
<fieldset submitButton="false">
<input type="multiselect" token="index">
<label>index</label>
<choice value="_internal">_internal</choice>
<choice value="_introspection">_introspection</choice>
<choice value="_audit">_audit</choice>
<choice value="_telemetry">_telemetry</choice>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>index=</valuePrefix>
<delimiter> OR </delimiter>
</input>
<input type="multiselect" token="sourcetype">
<label>sourcetype</label>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>sourcetype=</valuePrefix>
<delimiter> OR </delimiter>
<fieldForLabel>sourcetype</fieldForLabel>
<fieldForValue>sourcetype</fieldForValue>
<search>
<query>$index$ | dedup sourcetype | table sourcetype</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
Hi @zacksoft, Use below multiselect token for country-
<input type="multiselect" token="host">
<label>select Country</label>
<fieldForLabel>Vehicle</fieldForLabel>
<fieldForValue>Vehicle</fieldForValue>
<search id="idSearchSelectIndex">
<query>your query</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<default></default>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>host="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
</input>
then use below query for state populaion-
index = $continent_token$ $host$ | table STATE
I used as you suggested near COUNTRY (i.e. near host)
<input type="multiselect" token="choose_host" searchWhenChanged="true">
<label>Step-2 >> Host</label>
<fieldForLabel>Vehicle</fieldForLabel>
<fieldForValue>Vehicle</fieldForValue>
<search id="idSearchSelectIndex">
<query>index = $choose_index$ | table host | dedup host</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
<default></default>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>host="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
</search>
</input>
But after selecting one index(CONTINENT) , nothing populates in host(Country).
It shows the error "
Duplicate values causing conflic"
@493669 But I got the idea, on how to deal with it.
Thank you for pointing me towards the right direction.
@493669 - Just to add more clarification. In our system index value is CONTINENT, COUTRY is HOST and STATE is SourceType
So basically looking to select multiple hosts and then should able to see sourcetypes from all those hosts to be populated. Also to be able to select multiple index and the hosts of all those selected indices should come.