I'm trying to create a dashboard that shows all devices with a certain OS. To start, I have three dashboard panels: one for VMs, one for PCs, and one for physical hosts. I'm using one multiselect input with operating system options to populate each device type panel. I want the panels to dynamically update when one or more operating systems is selected. However, when I pick more than one OS, I get an error on each panel saying "No results found."
How can I use one multiselect token to populate multiple panels when selecting more than one OS?
<form>
<label>CMS_OS</label>
<fieldset submitButton="true" autoRun="false">
<input type="multiselect" token="ostestfield" searchWhenChanged="true">
<label>OSTEST</label>
<fieldForLabel>Operating System</fieldForLabel>
<fieldForValue>Operating System</fieldForValue>
<search>
<query>index=cms_pc OR index=cms_vm OR index=cms_host | eval "Operating System"=coalesce(OSVersion,OperatingSystem_Code) | dedup "Operating System"</query>
<earliest>0</earliest>
<latest></latest>
</search>
<delimiter> OR </delimiter>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
</fieldset>
<row>
<panel>
<title>VM OS</title>
<table>
<search>
<query>index=cms_vm OperatingSystem_Code="$ostestfield$" |dedup VM|table VM OperatingSystem_Code | rename OperatingSystem_Code as OS</query>
<earliest>0</earliest>
<latest></latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<table>
<title>PCs</title>
<search>
<query>index=cms_pc OSVersion="$ostestfield$" | dedup DeviceName | table DeviceName OSVersion | rename OSVersion as OS</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel>
<table>
<title>Hosts</title>
<search>
<query>index=cms_host OperatingSystem_Code="$ostestfield$" | dedup DeviceName | table DeviceName OperatingSystem_Code</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
Okay, here are the first couple of things I notice.
1) In this code you are building a synthetic field value that is not on your underlying records, and then later you are trying to use that nonexistent field to select your records.
<query>index=cms_pc OR index=cms_vm OR index=cms_host | eval "Operating System"=coalesce(OSVersion,OperatingSystem_Code) | dedup "Operating System"</query>
I'm going to assume that you have defined that somewhere else, or your code should not be working right for ONE selection, let alone multiselects.
2) In this code, you are creating a single multivalue token ...
<delimiter> OR </delimiter>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
...with a result that looks like this...
( "value1" OR "value2" OR .... OR "value99" )
...and then later you are trying to use it in this code...
index=cms_vm OperatingSystem_Code="$ostestfield$" | more stuff
...but the resulting substitution is not meaningful to splunk...
index=cms_vm OperatingSystem_Code="( "value1" OR "value2" OR ... OR "value99" ) "
... so you need to change your format in two places.
Try changing this...
<valuePrefix>"</valuePrefix>
...to this...
<valuePrefix>OperatingSystem_Code="</valuePrefix>
...and changing this...
index=cms_vm OperatingSystem_Code="$ostestfield$"
...to this...
index=cms_vm $ostestfield$
index=cms_vm $ostestfield$
@DalJeanis @gbwilson
instead of above command we can use
index IN (cms_pc cms_vm cms_host) OperatingSystem_Code IN ($ostestfield$)
Okay, here are the first couple of things I notice.
1) In this code you are building a synthetic field value that is not on your underlying records, and then later you are trying to use that nonexistent field to select your records.
<query>index=cms_pc OR index=cms_vm OR index=cms_host | eval "Operating System"=coalesce(OSVersion,OperatingSystem_Code) | dedup "Operating System"</query>
I'm going to assume that you have defined that somewhere else, or your code should not be working right for ONE selection, let alone multiselects.
2) In this code, you are creating a single multivalue token ...
<delimiter> OR </delimiter>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
...with a result that looks like this...
( "value1" OR "value2" OR .... OR "value99" )
...and then later you are trying to use it in this code...
index=cms_vm OperatingSystem_Code="$ostestfield$" | more stuff
...but the resulting substitution is not meaningful to splunk...
index=cms_vm OperatingSystem_Code="( "value1" OR "value2" OR ... OR "value99" ) "
... so you need to change your format in two places.
Try changing this...
<valuePrefix>"</valuePrefix>
...to this...
<valuePrefix>OperatingSystem_Code="</valuePrefix>
...and changing this...
index=cms_vm OperatingSystem_Code="$ostestfield$"
...to this...
index=cms_vm $ostestfield$
Thank you for your help. New to Splunk and your answer explained everything very clearly. I really appreciate it.