Hi, I'd like to use a text box input field to add a string value into a multiselect in order to use multiselect token to filter out values currently in multiselect (with true) for each search query I use
<input type="text" token="filter_out_text_input" id="filter_out_text_input">
<label>Enter a log event you want to filter out</label>
<prefix>"*</prefix>
<suffix>*"</suffix>
</input>
<input type="multiselect" token="filter_out_option" id="filter_out_option">
<label>List to filter out log events</label>
<valuePrefix>NOT "*</valuePrefix>
<valueSuffix>*"</valueSuffix>
<delimiter> OR </delimiter>
</input>
.
.
.
<title>$app$ Error Frequency</title>
<chart>
<search>
<query>index="$app$-$env$" logLevel="ERROR" $filter_out_option$ $filter_out_text_input$
| eval filter_out_option="$filter_out_option$"
| where isnotnull(filter_out_option) AND filter_out_option!=""
| eval filter_out_text_input="$filter_out_text_input$"
| where isnotnull(filter_out_text_input) AND filter_out_text_input!=""
| multikv | eval ReportKey="error rate"
| timechart span=30m count by ReportKey</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
<sampleRatio>1</sampleRatio>
<refresh>1m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="charting.chart">area</option>
<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">1</option>
<option name="refresh.display">progressbar</option>
</chart>
I would like to filter out error strings for the above search
Thanks in advance
Are you looking for something like this ?
Test by selecting few projects and add a text "Error" to the text box to filter
<form version="1.1" theme="light">
<label>MultiSelect_Text</label>
<fieldset submitButton="false">
<input type="multiselect" token="Project">
<label>Project</label>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter>,</delimiter>
<fieldForLabel>Project</fieldForLabel>
<fieldForValue>Project</fieldForValue>
<search>
<query>|makeresults count=5|streamstats count |eval Project="Project".count|eval Record="Some records "|eval Record=if(count%2==0,Record,Record."Error")</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="text" token="text_filter" searchWhenChanged="true">
<label>Text to Filter</label>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>|makeresults count=5|streamstats count |eval Project="Project".count|eval Record="Some records "|eval Record=if(count%2==0,Record,Record."Error")
|where Project in ($Project$) AND NOT like (Record,"%$text_filter$%")</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
thank you @renjith_nair this is fine for what I need
It seems there might be a misunderstanding. I'd prefer to steer clear of utilizing the makeresults command. My aim is to pinpoint a particular index (application) within a specific environment and gather all events categorized as errors or warnings.
Ideally, I'd like these events consolidated into a single location for ease of review. However, not all errors or warnings are pertinent to my needs. Therefore, I'd like to implement a filter mechanism where I can selectively exclude events by inputting a portion of the log message body into a text box. This text input would then be added to a multi-select feature, enabling me to filter out undesired events effectively.
I'd then use a token of a multi-select input and use that token in queries I already have....
See the Dashboard I provided you
Thank you in advance
makeresults are for me to create dummy events. It does not matter which search or values you use. What we need to look is whether the logic works for you. In this case, does the logic provided in the sample works for you with the checkbox and text input? If not, based on the sample dashboard what changes you foresee?
@renjith_nair not exactly
Currently, I am using checkbox type to filter out error log events and those need to be pre-defined already
see the whole dashboard
<form theme="light">
<label>LDP Apps monitoring</label>
<fieldset submitButton="false" autoRun="false">
<input type="dropdown" token="app" searchWhenChanged="true">
<label>Application</label>
<choice value="app_1">App 1</choice>
<choice value="app_2">App 2</choice>
<choice value="app_3">App 3</choice>
<default>App 1</default>
<initialValue>App 1</initialValue>
</input>
<input type="dropdown" token="env" searchWhenChanged="true">
<label>Environment</label>
<choice value="qa">QA</choice>
<choice value="uat">UAT</choice>
<choice value="prod">PROD</choice>
<default>prod</default>
<initialValue>prod</initialValue>
</input>
<input type="time" token="time_range">
<label>Time Period</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="search_input" id="search_input" searchWhenChanged="true">
<label>Search for a certain log message</label>
</input>
<html>
<style>
div[id^="search_input"]{
width: 1000px !important;
}
</style>
</html>
<input type="checkbox" token="selected" searchWhenChanged="true" id="checkboxes">
<label>Filter out frequent errors:</label>
<choice value="AND NOT "Error Log Message 1 to filter out"">Error Log Message 1 to filter out</choice>
<choice value="AND NOT "Error Log Message 2 to filter out"">Error Log Message 2 to filter out</choice>
<choice value="AND NOT "Error Log Message 3 to filter out"">Error Log Message 3 to filter out</choice>
<choice value="AND NOT "Error Log Message 4 to filter out"">Error Log Message 4 to filter out</choice>
<delimiter> </delimiter>
<default></default>
</input>
<html>
<style>
div[id^="checkboxes"]{
width: 1000px !important;
}
</style>
</html>
</fieldset>
<row>
<panel>
<title>$app$ Access logs - status code</title>
<chart>
<title>**hardcoded time period</title>
<search>
<query>index="$app$-$env$" access_log status_code!="20*"
| timechart span=10m count by status_code</query>
<earliest>-3d</earliest>
<latest>now</latest>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">1</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>$app$ Error Frequency</title>
<chart>
<search>
<query>index="$app$-$env$" logLevel="ERROR" $selected$
| multikv | eval ReportKey="error rate"
| timechart span=30m count by ReportKey</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
<sampleRatio>1</sampleRatio>
<refresh>1m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="charting.chart">area</option>
<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">1</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>$app$ Specific Error Logs</title>
<table>
<search>
<query>index="$app$-$env$" logLevel="ERROR" $selected$
| rex mode=sed "s:<1512>:\n:g"
| bucket _time span=5m
| table _time, logName, logLevel, _raw | sort -_time</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
<sampleRatio>1</sampleRatio>
<refresh>1m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>$app$ WARN Frequency</title>
<chart>
<search>
<query>index="$app$-$env$" logLevel="WARN" $selected$
| multikv | eval ReportKey="warn rate"
| timechart span=30m count by ReportKey</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
<sampleRatio>1</sampleRatio>
<refresh>1m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="charting.chart">area</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>$app$ Warn Messages</title>
<table>
<search>
<query>index="$app$-$env$" logLevel="WARN" $selected$
| rex mode=sed "s:<1512>:\n:g"
| bucket _time span=5m
| table _time, logName, logLevel, _raw | sort -_time</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
<refresh>1m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="logLevel">
<colorPalette type="list">[#53A051,#006D9C,#F8BE34,#F1813F,#DC4E41]</colorPalette>
<scale type="threshold">0,30,70,100</scale>
</format>
</table>
</panel>
</row>
<row>
<panel>
<title>Specific log event search</title>
<chart>
<title>**Copy a log message to search for an error log history, hardcoded time period</title>
<search>
<query>index="$app$-$env$" "$search_input$"
| eval search_input="$search_input$"
| where isnotnull(search_input) AND search_input!=""
| multikv | eval ReportKey="searched_event"
| timechart span=30m count by ReportKey</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">all</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
</form>
I want to use text box input type to add a specific error message string in to multiselect and that multiselect will be placed to each query provided above
so can filter out a certain events without having them specified in checkboxes
Also I want to use an empty multiselect as default each time a dashboard is loaded
So you want to use a checkbox and not a multiselect. Both are different in splunk context.
Here is the updated one. You can leave the checkbox and just filter in the text box or you can select the check box and the filter
<form version="1.1" theme="light">
<label>CheckBox_Text</label>
<fieldset submitButton="false">
<input type="checkbox" token="exclude" searchWhenChanged="true" id="checkbox">
<label>Select to exclude</label>
<fieldForLabel>Project</fieldForLabel>
<fieldForValue>Project</fieldForValue>
<search>
<query>|makeresults count=5|streamstats count |eval Project="Project".count|eval Record="Some records "|eval Record=if(count%2==0,Record,Record."Error")</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> ,</delimiter>
<prefix>AND NOT Project IN (</prefix>
<suffix>)</suffix>
<default>""</default>
</input>
<input type="text" token="text_filter" searchWhenChanged="true">
<label>Text to Filter</label>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>|makeresults count=5|streamstats count |eval Project="Project".count|eval Record="Some records "|eval Record=if(count%2==0,Record,Record."Error")
|where NOT like (Record,"%$text_filter$%") $exclude$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
Are you looking for something like this ?
Test by selecting few projects and add a text "Error" to the text box to filter
<form version="1.1" theme="light">
<label>MultiSelect_Text</label>
<fieldset submitButton="false">
<input type="multiselect" token="Project">
<label>Project</label>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter>,</delimiter>
<fieldForLabel>Project</fieldForLabel>
<fieldForValue>Project</fieldForValue>
<search>
<query>|makeresults count=5|streamstats count |eval Project="Project".count|eval Record="Some records "|eval Record=if(count%2==0,Record,Record."Error")</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="text" token="text_filter" searchWhenChanged="true">
<label>Text to Filter</label>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>|makeresults count=5|streamstats count |eval Project="Project".count|eval Record="Some records "|eval Record=if(count%2==0,Record,Record."Error")
|where Project in ($Project$) AND NOT like (Record,"%$text_filter$%")</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>