@kamlesh_vaghela, you missed accounting for Multi-value Token Delimiter and Suffix while extracting the selected values as single values for the dropdown.

@belle501, please try out the code for dropdown as below. Also for the dropdown token $vm1$ make sure token value is prefixed/suffixed properly before either in the dropdown properties or else during the search.

  <fieldset>
    <input type="multiselect" token="vm">
      <label>Machine</label>
      <fieldForLabel>name</fieldForLabel>
      <fieldForValue>name</fieldForValue>
      <search>
         <query>| savedsearch PAT_machines_search
                | search company="$company$" operational_status=$opstatus$ os=$os$
         </query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <valueSuffix>*</valueSuffix>
      <delimiter> OR </delimiter>
    </input>
    <input type="dropdown" token="linux_server">
      <label>Linux Server</label>
      <fieldForLabel>linux_selected_server</fieldForLabel>
      <fieldForValue>linux_selected_server</fieldForValue>
      <search>
        <query>| makeresults
| eval linux_selected_server=rtrim(replace("$vm$"," OR ",""),"*")
| eval linux_selected_server=split(linux_selected_server,"*")
| mvexpand linux_selected_server
| fields - _time</query>
      </search>
    </input>
  </fieldset>

If the above does not work please share the Search code in Simple XML where you are using the dropdown selected token value.

Hi niketnilay, thanks for your anwser. The dropdown field works correctly, but my panels keep giving errors saying that mvexpand is causing excessive memory usage.

Alright, I have it implemented now, but I'm running into some issues. The dropdown correctly shows the servers but whenever I select one, the panels which depend on it won't load. They come up with errors like these:

The limit has been reached for log messages in info.csv. 137 messages have not been written to info.csv. Please refer to search.log for these messages or limits.conf to configure this limit.

[suct2v701] command.mvexpand: output will be truncated at 108700 results due to excessive memory usage. Memory threshold of 500MB as configured in limits.conf / [mvexpand] / max_mem_usage_mb has been reached.

Can you please share value from panel title?

<title>$vm$</title>

Can you please let me know how many results return from multiselect search?

Thanks

Hmm, I'm not sure I follow, what would you like to see?

This is how it looks now:

https://www.dropbox.com/s/l7s7umhi45jxtm6/Knipsel.JPG?dl=0

https://www.dropbox.com/s/tw7ley27764l9uw/Knipsel2.JPG?dl=0

HI
Have you changed delimiter?

<delimiter> ,</delimiter>

This screenshot shows OR delimiter.

https://www.dropbox.com/s/tw7ley27764l9uw/Knipsel2.JPG?dl=0

Hi kamlesh, yes I had to change this part of your code:

 <form>
   <label>multi-select input field for  dropdown input field</label>
   <fieldset submitButton="false">
     <input type="multiselect" token="vm">
       <label>Machine</label>
       <fieldForLabel>sourcetype</fieldForLabel>
       <fieldForValue>sourcetype</fieldForValue>
       <search>
         <query>index=_internal * | stats count by sourcetype </query>
         <earliest>-1h@h</earliest>
         <latest>now</latest>
       </search>
       <delimiter> ,</delimiter>
     </input>
   </fieldset>

Because otherwise I couldn't select any machine in the multi-select field, and the dashboard would not load.

ooh,

Ok, then we'll continue with OR the delimiter. I have revised my search due to mvexpand is causing excessive memory usage.

Can you please try this one?

<form>
  <label>multi-select input field for possible entries in a dropdown input field</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="vm">
      <label>Machine</label>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>index=_internal * | stats count by sourcetype </query>
        <earliest>-1h@h</earliest>
        <latest>now</latest>
      </search>
      <delimiter> OR </delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>$vm$</title>
      <input type="dropdown" token="vm1">
        <label>My Machine</label>
        <fieldForLabel>sourcetype</fieldForLabel>
        <fieldForValue>sourcetype</fieldForValue>
        <search>
          <query>| makeresults | eval sourcetype="$vm$" | eval sourcetype=split(sourcetype," OR ") | stats count by sourcetype | table sourcetype</query>
        </search>
      </input>
    </panel>
  </row>
</form>

Thanks

It works so far! 🙂 I edited the dropdown code a bit, this is what I ended up with:

<row id="linux_input">
    <panel depends="$linux_patches$">
      <input type="dropdown" token="vm1" searchWhenChanged="true">
        <label>Linux Server</label>
          <fieldForLabel>linux_selected_server</fieldForLabel>
          <fieldForValue>linux_selected_server</fieldForValue>
          <search>
            <query>| makeresults 
                   | eval linux_selected_server="$vm$" 
                   | eval linux_selected_server=replace("$vm$", "\*", "")
                   | eval linux_selected_server=split(linux_selected_server," OR ") 
                   | stats count by linux_selected_server 
                   | table linux_selected_server
            </query>
          </search>
        </input>
    </panel>
  </row>

Hi @belle501,

Glad to help you.

Can you please accept the answer to close the question and upvote my comments which helped you.

Happy Splunking

Will do! 🙂

Thanks, will try it out!