Re: Populating multiselect input conditional on an...

vil505 · ‎06-21-2016

I'm trying to set up a dashboard that will allow a user to see the stats of the hosts they select. What I would like to do is make it so the user will select an input, or multiple input, via multiselect, and choice will determine what hosts appear in a second multiselect. For example, say I select the cthamp index in the first input. Then in the second input, I should see a choice of prdctlvamx306.clientsys.local, prdctlvamx307.clientsys.local, and so on and so forth. I have the index multiselect set up, but I don't know how to even begin setting up the host multiselect. Here is my xml:

<form>
  <label>AMX Version 2</label>
  <description>Experiment in dashboard search capabilities, designed to give the user more control over what they see in a dashboard.</description>
  <fieldset submitButton="false">
    <input type="time" token="timetok1">
      <label>Select a time range.</label>
      <default>
        <earliest>-15m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="multiselect" token="indextok" searchWhenChanged="true">
      <label>Select one or more indexes.</label>
      <default>*amx*</default>
      <choice value="*amx*">All</choice>
      <choice value="amx3_cthamp">cthamp</choice>
      <choice value="amx_authamp">authamp</choice>
      <choice value="amx_bosmarbal">bosmarbal</choice>
      <choice value="amx_cdac">cdac</choice>
      <choice value="amx_institution">institution</choice>
      <choice value="amx_uam">uam</choice>
      <choice value="app_amx">app_amx</choice>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>index="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
    </input>
    <input type="multiselect" token="hosttok1">
      <label>Select target hosts.</label>
      <change>
        <condition label="cthamp">
          <set choice="prdctlvamx306.clientsys.local">prdctlvamx306.clientsys.local</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=*amx*| stats count by index</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Error Table</title>
        <search>
          <query>$indextok$ host=* source=* "error"| rex "(?&lt;error&gt;)"| rex "\d+\-\d+\-\d+\s+\d+\:\d+\:\d+\,\d+\s+(?&lt;error&gt;.*)"| table _time index host source error</query>
          <earliest>$timetok1.earliest$</earliest>
          <latest>$timetok1.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

somesoni2 · ‎06-21-2016

Try this

1) Create a lookup table with your index name and corresponding host name. Say lookup name is index_to_host.csv with fields index and host
2) For host multiselect, instead of static options use, search like this. Use host ad field for value and label.

 | inputlookup index_to_host.csv | table index host | search index=$indextok$ | table host

vil505 · ‎06-27-2016

Thank you for getting back to me, and I apologize for replying to this thread so late.

I'll start working on setting that up, but as an alternative, is there any way for this xml to work:

  <row>
    <panel>
      <input type="multiselect" token="testtoka">
        <label>select index</label> 
        <default>*amx*</default>
        <choice value="*amx*">All</choice>
        <choice value="amx3_cthamp">cthamp</choice>
        <choice value="amx_authamp">authamp</choice>
        <choice value="amx_bosmarbal">bosmarbal</choice>
        <choice value="amx_cdac">cdac</choice>
        <choice value="amx_institution">institution</choice>
        <choice value="amx_uam">uam</choice>
        <choice value="app_amx">app_amx</choice>
        <prefix>(</prefix>
        <suffix>)</suffix>
        <valuePrefix>index="</valuePrefix>
        <valueSuffix>"</valueSuffix>
        <delimiter> OR </delimiter>
      </input>
      <input type="dropdown" token="testtokb">
        <label>Hosts</label>
        <prefix>host="</prefix>
        <suffix>"</suffix>
        <default>*</default>
        <!--Define the default value -->
        <choice value="*">All</choice>
        <!-- Define the choices with a populating search-->
        <populatingSearch fieldForValue="testtokb" fielForLabel="testtokb">
          <![CDATA[index="$testtoka$" | stats count by host]]>
        </populatingSearch>
      </input>
      <table>
        <title>test</title>
        <search>
          <query>host=$testtokb$ source=* "error"| rex "(?&lt;error&gt;)"| rex "\d+\-\d+\-\d+\s+\d+\:\d+\:\d+\,\d+\s+(?&lt;error&gt;.*)"| table _time index host source error</query>
          <earliest>$timetok1.earliest$</earliest>
          <latest>$timetok1.latest$</latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
      </table>

I tried setting this up so the index in the multi-select will populate the dropdown. However, when I select an index, the dropdown just says "Search produced no results."

Any thought?

Populating multiselect input conditional on another multiselect input?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!