Populating multiselect input conditional on anothe...

vil505 · ‎06-21-2016

I'm trying to set up a dashboard that will allow a user to see the stats of the hosts they select. What I would like to do is make it so the user will select an input, or multiple input, via multiselect, and choice will determine what hosts appear in a second multiselect. For example, say I select the cthamp index in the first input. Then in the second input, I should see a choice of prdctlvamx306.clientsys.local, prdctlvamx307.clientsys.local, and so on and so forth. I have the index multiselect set up, but I don't know how to even begin setting up the host multiselect. Here is my xml:

<form>
  <label>AMX Version 2</label>
  <description>Experiment in dashboard search capabilities, designed to give the user more control over what they see in a dashboard.</description>
  <fieldset submitButton="false">
    <input type="time" token="timetok1">
      <label>Select a time range.</label>
      <default>
        <earliest>-15m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="multiselect" token="indextok" searchWhenChanged="true">
      <label>Select one or more indexes.</label>
      <default>*amx*</default>
      <choice value="*amx*">All</choice>
      <choice value="amx3_cthamp">cthamp</choice>
      <choice value="amx_authamp">authamp</choice>
      <choice value="amx_bosmarbal">bosmarbal</choice>
      <choice value="amx_cdac">cdac</choice>
      <choice value="amx_institution">institution</choice>
      <choice value="amx_uam">uam</choice>
      <choice value="app_amx">app_amx</choice>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>index="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
    </input>
    <input type="multiselect" token="hosttok1">
      <label>Select target hosts.</label>
      <change>
        <condition label="cthamp">
          <set choice="prdctlvamx306.clientsys.local">prdctlvamx306.clientsys.local</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=*amx*| stats count by index</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Error Table</title>
        <search>
          <query>$indextok$ host=* source=* "error"| rex "(?&lt;error&gt;)"| rex "\d+\-\d+\-\d+\s+\d+\:\d+\:\d+\,\d+\s+(?&lt;error&gt;.*)"| table _time index host source error</query>
          <earliest>$timetok1.earliest$</earliest>
          <latest>$timetok1.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

somesoni2 · ‎06-21-2016

Try this

1) Create a lookup table with your index name and corresponding host name. Say lookup name is index_to_host.csv with fields index and host
2) For host multiselect, instead of static options use, search like this. Use host ad field for value and label.

 | inputlookup index_to_host.csv | table index host | search index=$indextok$ | table host

vil505 · ‎06-27-2016

Thank you for getting back to me, and I apologize for replying to this thread so late.

I'll start working on setting that up, but as an alternative, is there any way for this xml to work:

  <row>
    <panel>
      <input type="multiselect" token="testtoka">
        <label>select index</label> 
        <default>*amx*</default>
        <choice value="*amx*">All</choice>
        <choice value="amx3_cthamp">cthamp</choice>
        <choice value="amx_authamp">authamp</choice>
        <choice value="amx_bosmarbal">bosmarbal</choice>
        <choice value="amx_cdac">cdac</choice>
        <choice value="amx_institution">institution</choice>
        <choice value="amx_uam">uam</choice>
        <choice value="app_amx">app_amx</choice>
        <prefix>(</prefix>
        <suffix>)</suffix>
        <valuePrefix>index="</valuePrefix>
        <valueSuffix>"</valueSuffix>
        <delimiter> OR </delimiter>
      </input>
      <input type="dropdown" token="testtokb">
        <label>Hosts</label>
        <prefix>host="</prefix>
        <suffix>"</suffix>
        <default>*</default>
        <!--Define the default value -->
        <choice value="*">All</choice>
        <!-- Define the choices with a populating search-->
        <populatingSearch fieldForValue="testtokb" fielForLabel="testtokb">
          <![CDATA[index="$testtoka$" | stats count by host]]>
        </populatingSearch>
      </input>
      <table>
        <title>test</title>
        <search>
          <query>host=$testtokb$ source=* "error"| rex "(?&lt;error&gt;)"| rex "\d+\-\d+\-\d+\s+\d+\:\d+\:\d+\,\d+\s+(?&lt;error&gt;.*)"| table _time index host source error</query>
          <earliest>$timetok1.earliest$</earliest>
          <latest>$timetok1.latest$</latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
      </table>

I tried setting this up so the index in the multi-select will populate the dropdown. However, when I select an index, the dropdown just says "Search produced no results."

Any thought?

Populating multiselect input conditional on another multiselect input?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...