Solved: One choice, multiple values

epacke · ‎12-30-2014

Hi!
I'm trying to build a dashboard that searches two different indexes/sourcetypes using values from a dropdown.

Let's say I have a drop down with sites that sells different products:

Dropdown:
Apples
Pears
Oranges

When choosing "apples" and submitting I want the dashboard to show IIS logs from the apples web sites in one panel, and also firewall traffic to the apples site in another panel.

Since they're in different indexes and sourcetypes with different kind of distinguishers I was wondering if there was a way of storing multiple values in one choice (warning for crappy code), ie:

<input type="dropdown" token="producttype">
      <label>Brand:</label>
      <choice value1="Apples" value2="tcp_port=5000">Apples</choice>
      <choice value1="Pears" value2="tcp_port=6000">Pears</choice>
      <choice value1="Oranges" value2="tcp_port=7000">Oranges</choice>
      <default>Choose a brand</default>
    </input>

Hope that was somewhat clear?

Kind regards,
Patrik

acharlieh · ‎12-30-2014

Instead of trying to specify multiple values in your form (which may need updating as you start adding panels (say next they want database performance logs for each)). I would actually take the approach of returning a single value (apple,pear,orange).

That single value instead of specifying the exact values to look for instead you use as a (partial) selector for Tags or Eventtypes that you have build to contain the properties needed to select the data you want in each.

In your example above (and obviously I'm making up some additional information around the scenario for lack of knowledge of your exact scenario), lets say that you build event types:

apple_iis: sourcetype=iis Apples
pear_iis: sourcetype=iis Pears
orange_iis: sourcetype=iis Oranges

And the following tags:

apple: tcp_port=5000
pear:  tcp_port=6000
orange: tcp_port=7000

Then your panel for IIS logs could search for:

index=iis eventtype=$producttype$_iis

and your panel for firewall logs could search for example:

index=fw tag::tcp_port=$producttype$

View solution in original post

acharlieh · ‎12-30-2014

Instead of trying to specify multiple values in your form (which may need updating as you start adding panels (say next they want database performance logs for each)). I would actually take the approach of returning a single value (apple,pear,orange).

That single value instead of specifying the exact values to look for instead you use as a (partial) selector for Tags or Eventtypes that you have build to contain the properties needed to select the data you want in each.

In your example above (and obviously I'm making up some additional information around the scenario for lack of knowledge of your exact scenario), lets say that you build event types:

apple_iis: sourcetype=iis Apples
pear_iis: sourcetype=iis Pears
orange_iis: sourcetype=iis Oranges

And the following tags:

apple: tcp_port=5000
pear:  tcp_port=6000
orange: tcp_port=7000

Then your panel for IIS logs could search for:

index=iis eventtype=$producttype$_iis

and your panel for firewall logs could search for example:

index=fw tag::tcp_port=$producttype$

epacke · ‎01-02-2015

I get what you mean. Need to read more about tags, but that should do it. Thanks!

One choice, multiple values

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation