Updated
Try this
your search to retrieve list of sourcetype | map maxsearches=100 search="your search string with using $sourcetype" as replacement for values.
e.g.
index=* | stats count by sourcetype | table sourcetype | map maxsearches=100 search="index=* sourcetype=\"$sourcetype$\" | stats sum(sent) as send sum(rcvd) as receive by src | sort - send,receive | head 5"
Old
You can create a dashboard with a dropdown or textbox to give input sourcetype, and then show the result in one panel. something like this
<form>
<label>Dynamic Source</label>
<fieldset autoRun="true">
<input type="dropdown" token="sourcetype" searchWhenChanged="false">
<label>Sourcetype</label>
<choice value="*">All</choice>
<default>*</default>
<populatingSearch fieldForValue="sourcetype" fieldForLabel="sourcetype">
<![CDATA[index=* earliest=-1h@h | stats count by sourcetype | table sourcetype ]]>
</populatingSearch>
</input>
</fieldset>
<row>
<table>
<title>Top 5 source</title>
<searchString>index=* sourcetype="$sourcetype$" | stats sum(sent) as send sum(rcvd) as receive by src | sort - send,receive | head 5</searchString>
<earliestTime>-1h</earliestTime>
<latestTime>now</latestTime>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</row>
</form>
Updated
Try this
your search to retrieve list of sourcetype | map maxsearches=100 search="your search string with using $sourcetype" as replacement for values.
e.g.
index=* | stats count by sourcetype | table sourcetype | map maxsearches=100 search="index=* sourcetype=\"$sourcetype$\" | stats sum(sent) as send sum(rcvd) as receive by src | sort - send,receive | head 5"
Old
You can create a dashboard with a dropdown or textbox to give input sourcetype, and then show the result in one panel. something like this
<form>
<label>Dynamic Source</label>
<fieldset autoRun="true">
<input type="dropdown" token="sourcetype" searchWhenChanged="false">
<label>Sourcetype</label>
<choice value="*">All</choice>
<default>*</default>
<populatingSearch fieldForValue="sourcetype" fieldForLabel="sourcetype">
<![CDATA[index=* earliest=-1h@h | stats count by sourcetype | table sourcetype ]]>
</populatingSearch>
</input>
</fieldset>
<row>
<table>
<title>Top 5 source</title>
<searchString>index=* sourcetype="$sourcetype$" | stats sum(sent) as send sum(rcvd) as receive by src | sort - send,receive | head 5</searchString>
<earliestTime>-1h</earliestTime>
<latestTime>now</latestTime>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</row>
</form>
Thanks you !! It's work!!
Try this as populatingSearch
|metadata type=sourcetypes index=* | stats count by sourcetype
HELP!!
I have no choice in my dropdown list. my sourcetype are not there.
Again thank you for your help.
But my dropdown list is empty. There is just all and not my log files.
it comes from the token?
I may have misunderstood the requirement here. Correct me if I am wrong, what you need is a single query which will generate results (using the query mentioned in the question itself) for each sourcetype without typing the whole query multiple times for each sourcetype. If yes then try the updated answer.
hum...
<![CDATA[index= earliest=-1h@h | stats count by sourcetype | table sourcetype ]]>
I don't understand. how sourcetypes are incremented here. Because I do not see anything changing.
This is just a sample layout of a dashboard. Please update the queries as per your environment. (in
Thx for your response.
But your script doesn't work. The result is "This dashboard has no panels." it is because he does not find the "sourcetype" ?