Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

One choice, multiple values

epacke
Path Finder
‎12-30-2014 07:38 AM

Hi!
I'm trying to build a dashboard that searches two different indexes/sourcetypes using values from a dropdown.

Let's say I have a drop down with sites that sells different products:

Dropdown:
Apples
Pears
Oranges

When choosing "apples" and submitting I want the dashboard to show IIS logs from the apples web sites in one panel, and also firewall traffic to the apples site in another panel.

Since they're in different indexes and sourcetypes with different kind of distinguishers I was wondering if there was a way of storing multiple values in one choice (warning for crappy code), ie:

<input type="dropdown" token="producttype">
      <label>Brand:</label>
      <choice value1="Apples" value2="tcp_port=5000">Apples</choice>
      <choice value1="Pears" value2="tcp_port=6000">Pears</choice>
      <choice value1="Oranges" value2="tcp_port=7000">Oranges</choice>
      <default>Choose a brand</default>
    </input>

Hope that was somewhat clear?

Kind regards,
Patrik

Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎12-30-2014 10:10 PM

Instead of trying to specify multiple values in your form (which may need updating as you start adding panels (say next they want database performance logs for each)). I would actually take the approach of returning a single value (apple,pear,orange).

That single value instead of specifying the exact values to look for instead you use as a (partial) selector for Tags or Eventtypes that you have build to contain the properties needed to select the data you want in each.

In your example above (and obviously I'm making up some additional information around the scenario for lack of knowledge of your exact scenario), lets say that you build event types:

apple_iis: sourcetype=iis Apples
pear_iis: sourcetype=iis Pears
orange_iis: sourcetype=iis Oranges

And the following tags: 

apple: tcp_port=5000
pear:  tcp_port=6000
orange: tcp_port=7000

Then your panel for IIS logs could search for:

index=iis eventtype=$producttype$_iis

and your panel for firewall logs could search for example:

index=fw tag::tcp_port=$producttype$

View solution in original post

Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎12-30-2014 10:10 PM

Instead of trying to specify multiple values in your form (which may need updating as you start adding panels (say next they want database performance logs for each)). I would actually take the approach of returning a single value (apple,pear,orange).

That single value instead of specifying the exact values to look for instead you use as a (partial) selector for Tags or Eventtypes that you have build to contain the properties needed to select the data you want in each.

In your example above (and obviously I'm making up some additional information around the scenario for lack of knowledge of your exact scenario), lets say that you build event types:

apple_iis: sourcetype=iis Apples
pear_iis: sourcetype=iis Pears
orange_iis: sourcetype=iis Oranges

And the following tags: 

apple: tcp_port=5000
pear:  tcp_port=6000
orange: tcp_port=7000

Then your panel for IIS logs could search for:

index=iis eventtype=$producttype$_iis

and your panel for firewall logs could search for example:

index=fw tag::tcp_port=$producttype$
Reply
Solved! Jump to solution

epacke
Path Finder
‎01-02-2015 12:13 AM

I get what you mean. Need to read more about tags, but that should do it. Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...