Hi Guys,
New to Splunk. I have managed to build dashboards with multiselects before, but the data for this multiselect below does not populate any results in my dashboard, but it does populate on a separate search - opening a new search. Below is my multiselect query and my main sub search. I reached a dead end and really don't know what I am doing wrong.
Note: my main query is fine no issue there - its my multiselect that has the issue.
Multiselect:
<input type="multiselect" token="tok_ServerStatus" searchWhenChanged="true">
<label>Server Status</label>
<choice value="*">All</choice>
<fieldForLabel>Server Status</fieldForLabel>
<fieldForValue>ServerStatus</fieldForValue>
<search>
<query>| inputlookup X_Report.csv | rename "Server Status" as Status "Application Name" as ApplicationName | search $tok_ApplicationName$ | stats count by Status | table Status </query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<delimiter>OR </delimiter>
<default>All</default>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>ServerStatus="</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
Main Query:
| inputlookup X_Report.csv | rename "Application Name" as ApplicationName "Server Status" as Status | fillnull ApplicationName, Status value=NULL | search $tok_ServerStatus$ $tok_ApplicationName$ | stats values(Status) as "Server Status" values(ApplicationName) as "Application Name" by ServerName | sort ServerName
You have specified ServerStatus as your field for the multiselect but your query only returns Status - these should match
Haha, good pick! ![]()
Quick observation, just looking at your delimiter, you don't seem to have a space before the OR
<delimiter>OR </delimiter>so that would end up with
(aOR bOR c)
I tired adding a space between the delimiters, that did not work. One thing I noticed that was off is that when I hover my mouse over the multiselect box no values appear. I'm not sure what could be causing this.
If there are no values in the multiselect, then the search is not running or working.
You have $tok_Application$ in your populating search. That token may not be set - where is it coming from?
If you add that token into the title of the dashboard panel of your main search, you can see what value it has and when it is populated.