Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Token Options to Search Panels with All Results of a Dropdown?

interrobang
Explorer
‎02-07-2024 04:14 PM

Have a simple dashboard filtering logs by AppID's and related Servername.

First dropdown search defaults to "*" for all AppID's but search obtains all AppID's which you can select and has a token for $AppID$ eg.

"index="applogs" sourcetype="logs:apps:inventory" | table AppID | dedup AppID | sort AppID"

Second dropdown searches by $AppID$ token of First dropdown, to get the list of Servernames returned for selected AppID eg.

"$AppID$" index="syslogs" sourcetype="logs:servers:inventory" | eval Servername = host."\\".InstanceName | table AppID Servername | dedup Servername | sort Servername

This has a token for $Servername|s$ (escape chars in server name), which gets added to a bunch of search panels.

For example, select App49 in first dropdown, and it returns ServerA, ServerB, ServerC, ServerD in the second dropdown. Selecting ServerA, B, C or D in the second dropdown then searches bunch of panels filter by that Servername token.

Thats all working fine, but by default I want the option to search all panels by all $Servername$ options in the second dropdown related to the selected AppID.

Adding a "*" wildcard option in second dropdown as in the first, just returns all Servernames, not the ones filtered by the $AppID$ token.

How can I default my second drop down to an "All" option that does this? eg. searches all panels by all the results that get populated in the second dropdown from the $AppID$ of the first?

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-07-2024 06:45 PM

Firstly I would suggest your search for the second dropdown change slightly to

index="syslogs" sourcetype="logs:servers:inventory" AppID=$AppID|s$
| eval Servername = host."\\".InstanceName 
| fields Servername 
| dedup Servername 
| sort Servername

that will be slightly more efficient.

You should add the wildcard option in the second dropdown, but in your panel searches you also need to include the 

AppID=$AppID|s$

as part of that search, so the * for ServerName will also be restricted to those in your chosen AppID

0 Karma
Reply

interrobang
Explorer
‎02-07-2024 07:12 PM

Ah sorry - I should have mentioned indexes for the panels based on "Servername" have no relation to the AppID. So I can't query the panels by AppID token.

The AppID index is searching a bunch of logs that have a field for AppID and two fields (host & node) which im using an eval to join together for the "Servername", which relates to a field in all the Servername index logs, giving me the one-way relation to what server(s) an AppID is running on. Which is silly, but thats the logs im dealing with... and hence the problem with a wildcard "*" selection on the second dropdown, it just returns any Servername, not ones filtered by AppID ie. it's own dropdown query.

Thats kinda why I'm wondering if the second dropdown already creates a list of the Servername(s) related to a specific AppID, how can i have all Servername(s) dropped/tokenized into the search query for each panel, not just a single Servername based on the token from selecting a second dropdown Servername but the whole list of dropdown options for Servername(s) tokenized or getting passed as tokens into the panel search queries - ie. a dropdown option for ALL...

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-11-2024 06:46 PM

@interrobang ok, got it

The easiest thing to do is to add the following to your dropdown search after the dedup Servername

| appendpipe [
  stats values(Servername) as Servername
  | format
  | rename search as Servername
  | eval name="All"
  | eval order=0
]
| sort order Servername
| fields - order

what this simply does is to add a new row at the end with all the server names and creates a new name field. This will either have the Servername or "All".

The purpose of the order is to sort the All to the top and then the servers in sorted order.

Set the fieldForValue to be Servername and the fieldForLabel to be name.

Then if you select All, it will have the Servername=A OR .. 

See this example to see how it's working

| makeresults
| fields - _time
| eval Servername=split("ABCD","")
| mvexpand Servername
| eval name=Servername
| eval Servername="Servername".Servername
| appendpipe [
  stats values(Servername) as Servername
  | format
  | rename search as Servername
  | eval name="All"
  | eval order=0
]
| sort order Servername
| fields - order

 

0 Karma
Reply
Get Updates on the Splunk Community!

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Community Feedback

We Want to Hear from You! Share Your Feedback on the Splunk Community   The Splunk Community is built for you ...

Manual Instrumentation with Splunk Observability Cloud: Implementing the ...

In our observability journey so far, we've built comprehensive instrumentation for our Worms in Space ...