I want to write a search where i can use windows and linux servers. I want to have two searches in one, but I want only a set of hosts o use this search and another set of different searches use this search. need it for dropdown input on dashboard. Please help.
I would use two tokens: $windows_search$
and $linux_search$
. Depending on which host was selected in the list, I'd set one of those tokens and unset the other, and then I'd use a depends
clause to display the appropriate panel, with its respective search. Here's a demo of what I'm describing. You can create a test dashboard on your search head and paste this code in directly to test/play, as it's written to run anywhere:
<form>
<label>test_dropdown</label>
<fieldset submitButton="false">
<input type="dropdown" token="tok_host">
<label>host</label>
<choice value="win1">win1</choice>
<choice value="win2">win2</choice>
<choice value="lin1">lin1</choice>
<change>
<condition label="win1">
<set token="windows_search">1</set>
<unset token="linux_search"></unset>
</condition>
<condition label="win2">
<set token="windows_search">1</set>
<unset token="linux_search"></unset>
</condition>
<condition label="lin1">
<set token="linux_search">1</set>
<unset token="windows_search"></unset>
</condition>
</change>
</input>
</fieldset>
<row>
<panel depends="$windows_search$">
<table>
<search>
<query>|stats count |eval name="I'm a windows search", selected_host=$tok_host|s$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
<panel depends="$linux_search$">
<table>
<search>
<query>|stats count |eval name="I'm a linux search", selected_host=$tok_host|s$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
I have multiple hosts. How will I do it foe about 30 windows servers and 30 linux servers. Would I have to create a condition for each server?