Dashboards & Visualizations

choose all Multiselect values by default

Naa_Win
Path Finder

Hello,

need help for auto multi select of the input values...

Naa_Win_1-1723495334802.png

So I have a Index values like data1, data2, data3. If I select data1 the sourcetype related to data1 should be auto selected, if i multislect data1 & data2 in the index it has to auto select in multi sourcetype

Labels (1)
Tags (2)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

This can be quite challenging, because if you then remove one of the sourcetypes from the auto-populated multiselect then add a new index selection it has to do some fiddly calculations to find out which of the indexes has changed and then only add the new sourcetypes to the current  sourcetype selection.

It can be done,  but it's quite a messy thing to play with given all the possible permutations of what you can do.

Here's an example of simply adding sourcetypes to the auto select - hopefully it will give you some pointers.

I've put a bunch of search panels that can show you what's going on.

<form version="1.1" theme="light">
  <label>AutoSelectMulti</label>
  <init>
    <set token="pre_indexes"></set>
  </init>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <input type="multiselect" token="tok_indexes" searchWhenChanged="true">
        <label>Indexes</label>
        <prefix>index IN (</prefix>
        <suffix>)</suffix>
        <valuePrefix>"</valuePrefix>
        <valueSuffix>"</valueSuffix>
        <delimiter> ,</delimiter>
        <fieldForLabel>index</fieldForLabel>
        <fieldForValue>index</fieldForValue>
        <search base="base_defs">
          <query/>
        </search>
      </input>
      <input type="multiselect" token="tok_sourcetype" searchWhenChanged="true">
        <label>Sourcetypes</label>
        <prefix>sourcetype IN (</prefix>
        <suffix>)</suffix>
        <valuePrefix>"</valuePrefix>
        <valueSuffix>"</valueSuffix>
        <delimiter>,</delimiter>
        <search base="base_defs">
          <query>
| stats count by sourcetype
          </query>
        </search>
        <fieldForLabel>sourcetype</fieldForLabel>
        <fieldForValue>sourcetype</fieldForValue>
      </input>
    </panel>
    <panel>
      <table>
        <search id="base_defs">
          <query>| tstats values(sourcetype) as sourcetype count where index=* OR index=_* by index</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">2</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
      <table>
        <search base="base_defs">
          <done>
            <eval token="form.tok_sourcetype">$result.form_tok_sourcetype$</eval>
            <set token="tok_sourcetype">$result.tok_sourcetype$</set>
          </done>
          <query>| search $tok_indexes$
| stats values(sourcetype) as sourcetype
| eval form_tok_sourcetype=sourcetype
| eval tok_sourcetype="sourcetype in (\"".mvjoin(sourcetype, "\",\"")."\")"</query>
        </search>
        <option name="count">2</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

Naa_Win
Path Finder

Basically what I'm looking for is, I have a Multi Select Server input, if i select 5 servers which are belongs to 3 goes to US and 2 go to UK, I want it to have two panels. The US panel shows the clients (3 total). Whereas UK panel shows the identical thing, but only the 2 clients 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

This is a different question to the one asked. How do you know the location of the servers and does the data for each panel come from the same search.

If it comes from the same search then you would be better of having a base search, see here

https://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/Savedsearches

where your base search does all the data selection and aggregation and then each of the panels only shows the data from that base search that relate to the region of the server/clients they want.

 

0 Karma

Naa_Win
Path Finder

This is what i have so far..


 

 

<form version="1.1" theme="light">
  <label>AutoSelectMulti</label>
  <init>
    <set token="pre_indexes"></set>
  </init>
  <fieldset submitButton="true" autoRun="false">
    <input type="multiselect" token="server" searchWhenChanged="true">
      <label>Server</label>
      <fieldForLabel>dns</fieldForLabel>
      <fieldForValue>dns</fieldForValue>
      <search>
        <query>index=summary source=sc dns=eaz* | dedup dns | table dns</query>
      </search>
      <delimiter> ,</delimiter>
    </input>
    <input type="multiselect" token="ds1">
      <label>DS1</label>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>index=summary source=sc dns=eaz* | search dns IN ($server$) | dedup host | table host</query>
        <earliest>-30d@d</earliest>
        <latest>now</latest>
      </search>
      <delimiter> ,</delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>EAST DS</title>
        <search>
          <query>| makeresults 
| eval ServerclassInfo="[serverClass:serverclass]
whitelist.0 = server1
whitelist.1 = server2
Server List which needs to add under whitelist = $server$ 
EAST Deployment Server : $ds$"
| fields ServerclassInfo
| fields - _time</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>West DS</title>
        <search>
          <query>| makeresults 
| eval ServerclassInfo="[serverClass:serverclass]
whitelist.0 = server1
whitelist.1 = server2
Server List which needs to add under whitelist = $server$ 
WEST Deployment Server : $ds$"
| fields ServerclassInfo
| fields - _time</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

 

 

What Ultimately I'm looking is if i select 5 servers which are belongs to 3 goes to US and 2 go to UK, I want it to have two panels. The US panel shows the 3 servers with what DS. Whereas other panel shows the identical thing, but only the 2 servers . That's okay if we don't have that Deployment Server input too.

Naa_Win_0-1723564931689.png

 

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

You haven't explained a fundamental part of the problem - how do you know which servers go in to US and which servers go into UK (or EAST and WEST as in your example).

You need to know how you can tell if server 1 belongs to panel 1 or panel 2. Then you simply need to have a base search that splits up the selected servers according to their region, e.g.

| makeresults
| eval servers=split($server|s$, ",")
| eval region=<<DEFINE YOUR LOGIC HERE TO CREATE REGION BASED ON HOST>>>
| stats values(server) as server by region
| eval server=mvjoin(server, ",")
| transpose 0 header_field=region

and then you have a <done> clause where you set the tokens for each panel accordingly

<done>
  <set token="region_1">$result.region_1$</set>
  <set token="region_2">$result.region_2$</set>
</done>

and you then use the region_1 and 2 tokens in your panels instead of $server$

Naa_Win
Path Finder

So I have a schedule search running on DS to summery index which pulls all the info from two DS. Index=summery source=sc. which has the serveclass, forwarder, deplyment server, deployementappname info. 

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

That's fine, but it still doesn't say which servers go in the left panel and which go in the right - how do you decide that logic - anyway, my previous post gives you an example to work with, I hope you can give that a go and see if it can get you where you're trying to get to.

0 Karma

burwell
SplunkTrust
SplunkTrust

This answer https://community.splunk.com/t5/Dashboards-Visualizations/How-to-use-token-in-a-multi-select-form-in...

is close to what you want.  You would end up with a set of sourcetype=data1 OR sourcetype=data2 etc.

And you can initialize the default value with comma separated values as shown in https://community.splunk.com/t5/Dashboards-Visualizations/choose-all-Multiselect-values-by-default-w...

0 Karma

Naa_Win
Path Finder

I tried those but if i select multiple index the sourcetype multi select is not working. 

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...