I have a bunch of indexes in the format of <environment>-<machineType>
This is something like test-manager, staging-manager, staging-client
I would like to build a dashboard where the user can select 2 different multi-value inputs, one for the environment and another for the machine type which would then reflect on the graphs themselves.
I can build a dynamic multi-valued input for environment using a query like
| eventcount summarize=false index="*" | rex field=index "(?<environment>.*?)-.*?$" | dedup environment | fields environment
or just a static one, doesn't matter much.
What I am having a hard time with is how do I join the user selections into a search?
An example would be the user selects test and qa for environment and then selects manager for machine type and I am looking for the query to contain something like
index="test-manager" OR index="qa-manager"
How would one go about this?
You can try using token prefix and token suffixes as token itself.
For eg. for environment , token suffix will be -$machinetype$ and for machinetype token prefix will be -$environment$.
Hope this helps!!!!!!!
There are many ways. Probably the easiest, if the words are all distinct on both sides, is to just have each side wildcarded so that...
(index="test-*" OR index="staging-*" ...) AND (index="*-manager" OR index="*-client"... )