Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Select "All" option in dropdown doesnot work

navd
New Member
‎05-30-2018 02:21 PM

I have a dropdown input to display Host which has options for hosts already predetermined in it from previous dropdowns. When I select the "All" option in the dropdown , instead of displaying all the hosts in the host dropdown, its displaying eventsof all the hosts belonging to index . How can I have an all option for just the hosts determined in host dropdown?

Tags (1)
0 Karma
Reply

satyaballa
New Member
‎06-04-2020 03:39 AM

we can use * astric with combination of like
code |where like (fieldName,$%*%$)

0 Karma
Reply

niketn
Legend
‎05-31-2018 08:20 AM

@navd, that should work use the change event handler <change> <condition label="All"> and set the token to the value of hosts based on selected inputs.

Take the multiselect query out of the fieldset block as an independent dummy search with a search id for post-processing. Build the query to give comma separate host names for host values when All is selected. (You can also choose this for default option.)

For the dropdown code <search>, you can use further query to split the comma separated single value to multiple rows again. Please try out the following and confirm! 

  <search id="baseSearchHostFilter">
    <query>| tstats count where index="abc" AND host=*$service$* AND host=*$env$* by host
| stats values(host) as host
| nomv host
| eval host=replace(host," ",",")
| table host</query>
    <earliest>-7d@h</earliest>
    <latest>now</latest>
    <done>
      <set token="tokAllFilteredHosts">$result.host$</set>
    </done>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="tokHostDropDown" searchWhenChanged="true">
      <label>Select Host</label>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search base="baseSearchHostFilter">
        <query>| makemv host delim=","
        | mvexpand host
        </query>
      </search>
      <change>
        <condition label="All">
          <set token="tokHost">$tokAllFilteredHosts$</set>
        </condition>
        <condition>
          <set token="tokHost">$value$</set>
        </condition>
      </change>
      <choice value="*">All</choice>
    </input>
  </fieldset>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

navd
New Member
‎05-31-2018 10:51 AM

I have tried with the code you provided , but ALL option isn't working , below is my sample xml for my entire dashboard . let me know if I am missing anything here .

<form>
  <label>My test dropdown</label>
  <search id="baseSearchHostFilter">
    <query>| tstats count where index="abc" AND host=*$service$* AND host=*$env$* by host
 | stats values(host) as host
 | nomv host
 | eval host=replace(host," ",",")
 | table host
<earliest>-7d@h</earliest>
<latest>now</latest>
<done>
  <set token="tokAllFilteredHosts">$result.host$</set>
</done>


<input type="dropdown" token="service" searchWhenChanged="true">
  <label>Select service</label>
  <choice value="service1">service1</choice>
  <choice value="service2">service2</choice>
  <fieldForLabel>service</fieldForLabel>
  <fieldForValue>service</fieldForValue>
</input>
<input type="dropdown" token="env" searchWhenChanged="true">
  <label>Select Environment</label>
  <choice value="DEV">DEV</choice>
  <choice value="QA">QA</choice>
  <choice value="PROD">PROD</choice>
  <fieldForLabel>env</fieldForLabel>
  <fieldForValue>env</fieldForValue>
</input>
<input type="dropdown" token="tokHostDropDown" searchWhenChanged="true">
  <label>Select Host</label>
  <fieldForLabel>host</fieldForLabel>
  <fieldForValue>host</fieldForValue>
  <search base="baseSearchHostFilter">
    <query>| makemv host delim=","
     | mvexpand host
     </query>
  </search>
  <change>
    <condition label="All">
      <set token="tokHost">$tokAllFilteredHosts$</set>
    </condition>
    <condition>
      <set token="tokHost">$value$</set>
    </condition>
  </change>
  <choice value="*">All</choice>
</input>


<panel>
  <event>
    <search>
      <query>index="abc" host=$tokHostDropDown$</query>
      <earliest>$time_range.earliest$</earliest>
      <latest>$time_range.latest$</latest>
    </search>
    <option name="list.drilldown">full</option>
    <option name="refresh.display">progressbar</option>
  </event>
</panel>
0 Karma
Reply

somesoni2
Revered Legend
‎05-30-2018 02:45 PM

You probably need to update your query to take all the dropdowns filters in account OR update your dropdown population query to dynamically populate "All" option (which might have just set to * right now). As @niketnilay mentioned, share you dashboard xml showing those dropdowns and panel search.

0 Karma
Reply

niketn
Legend
‎05-30-2018 02:39 PM

@navd, can you share the simple XML code for your host drodown?

You should try having a query like the following for getting all unique hosts for your index.

| tstats count where index="<yourIndexName>" by host
| table host
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

navd
New Member
‎05-30-2018 02:45 PM

@niketnilay
My host drop down XMl

<input type="multiselect" token="host" searchWhenChanged="true">
  <label>Select Host Name</label>
  <fieldForLabel>host</fieldForLabel>
  <fieldForValue>host</fieldForValue>
  <search>
    <query>index=abc  (host=*$service$* AND host=*$env$*) |dedup host</query>
    <earliest>-7d@h</earliest>
    <latest>now</latest>
  </search>
  <delimiter> </delimiter>
  <choice value="*">ALL</choice>
</input>

And In my final search I am using this query to display events based on host selection

index="abc" host IN($host$)

0 Karma
Reply

niketn
Legend
‎05-30-2018 03:00 PM

Your existing query should be as following since you just need host field:

index=abc  (host=*$service$* AND host=*$env$*) 
| fields host
| dedup host
| table host

However, you should try out the tstats command as suggested which will populate the input faster:

| tstats count where index="abc" AND host=*$service$* AND host=*$env$* by host
| table host

Having said that you are using a Multiselect input which is different from Dropdown. Multiselect input does not have a <change> event handler (rather change event handler works only for single selected input). Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#Event_handler_element

So couple of options you can try:

1) Code multiselect change event handler in JavaScript to handle All scenario to add all the hosts in multiselect as token. You would have to search through Splunk Answers for some examples.

2) If you know a list of known hosts (if they are stored as repository say Database or Lookup File in Splunk with mapping corresponding to Services and Environment), then use dblookup or inputlookup command to pull the value through a dummy search and put the list as token which should be used as default value for multiselect. Remove All condition.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

navd
New Member
‎05-31-2018 07:12 AM

What if I want to change my multiselect to just dropdown and include ALL option , so that it displays All hosts based on the query

index=abc (host=$service$ AND host=$env$) |dedup host

can you help me out how I can do a dropdown which also includes ALL option based on the above xml I provided

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...