Dashboards & Visualizations

Why do Panels show no records when multiple values selected in multiselect input?

gbwilson
Path Finder

I'm trying to create a dashboard that shows all devices with a certain OS. To start, I have three dashboard panels: one for VMs, one for PCs, and one for physical hosts. I'm using one multiselect input with operating system options to populate each device type panel. I want the panels to dynamically update when one or more operating systems is selected. However, when I pick more than one OS, I get an error on each panel saying "No results found."

How can I use one multiselect token to populate multiple panels when selecting more than one OS?

<form>
  <label>CMS_OS</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="multiselect" token="ostestfield" searchWhenChanged="true">
      <label>OSTEST</label>
      <fieldForLabel>Operating System</fieldForLabel>
      <fieldForValue>Operating System</fieldForValue>
      <search>
        <query>index=cms_pc OR index=cms_vm OR index=cms_host | eval "Operating System"=coalesce(OSVersion,OperatingSystem_Code) | dedup "Operating System"</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <delimiter> OR </delimiter>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>VM OS</title>
      <table>
        <search>
          <query>index=cms_vm OperatingSystem_Code="$ostestfield$" |dedup VM|table VM OperatingSystem_Code | rename OperatingSystem_Code as OS</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>PCs</title>
        <search>
          <query>index=cms_pc OSVersion="$ostestfield$" | dedup DeviceName | table DeviceName OSVersion | rename OSVersion as OS</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Hosts</title>
        <search>
          <query>index=cms_host OperatingSystem_Code="$ostestfield$" | dedup DeviceName | table DeviceName OperatingSystem_Code</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
Labels (1)
0 Karma
1 Solution

DalJeanis
Legend

Okay, here are the first couple of things I notice.

1) In this code you are building a synthetic field value that is not on your underlying records, and then later you are trying to use that nonexistent field to select your records.

     <query>index=cms_pc OR index=cms_vm OR index=cms_host | eval "Operating System"=coalesce(OSVersion,OperatingSystem_Code) | dedup "Operating System"</query>

I'm going to assume that you have defined that somewhere else, or your code should not be working right for ONE selection, let alone multiselects.

2) In this code, you are creating a single multivalue token ...

   <delimiter> OR </delimiter>
   <valuePrefix>"</valuePrefix>
   <valueSuffix>"</valueSuffix>

...with a result that looks like this...

 ( "value1" OR "value2" OR .... OR "value99"  )

...and then later you are trying to use it in this code...

 index=cms_vm OperatingSystem_Code="$ostestfield$"  | more stuff

...but the resulting substitution is not meaningful to splunk...

      index=cms_vm OperatingSystem_Code="( "value1" OR "value2" OR ... OR "value99" ) "

... so you need to change your format in two places.

Try changing this...

   <valuePrefix>"</valuePrefix>

...to this...

   <valuePrefix>OperatingSystem_Code="</valuePrefix>

...and changing this...

  index=cms_vm OperatingSystem_Code="$ostestfield$" 

...to this...

  index=cms_vm   $ostestfield$ 

View solution in original post

paritoshs24
Path Finder
  index=cms_vm   $ostestfield$ 

@DalJeanis  @gbwilson 

instead of above command  we can use 

index IN (cms_pc cms_vm cms_host) OperatingSystem_Code IN ($ostestfield$)
0 Karma

DalJeanis
Legend

Okay, here are the first couple of things I notice.

1) In this code you are building a synthetic field value that is not on your underlying records, and then later you are trying to use that nonexistent field to select your records.

     <query>index=cms_pc OR index=cms_vm OR index=cms_host | eval "Operating System"=coalesce(OSVersion,OperatingSystem_Code) | dedup "Operating System"</query>

I'm going to assume that you have defined that somewhere else, or your code should not be working right for ONE selection, let alone multiselects.

2) In this code, you are creating a single multivalue token ...

   <delimiter> OR </delimiter>
   <valuePrefix>"</valuePrefix>
   <valueSuffix>"</valueSuffix>

...with a result that looks like this...

 ( "value1" OR "value2" OR .... OR "value99"  )

...and then later you are trying to use it in this code...

 index=cms_vm OperatingSystem_Code="$ostestfield$"  | more stuff

...but the resulting substitution is not meaningful to splunk...

      index=cms_vm OperatingSystem_Code="( "value1" OR "value2" OR ... OR "value99" ) "

... so you need to change your format in two places.

Try changing this...

   <valuePrefix>"</valuePrefix>

...to this...

   <valuePrefix>OperatingSystem_Code="</valuePrefix>

...and changing this...

  index=cms_vm OperatingSystem_Code="$ostestfield$" 

...to this...

  index=cms_vm   $ostestfield$ 

gbwilson
Path Finder

Thank you for your help. New to Splunk and your answer explained everything very clearly. I really appreciate it.

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...