Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

The options on the dashboard filter dropdown is showing extra options, that are not coming in the actual search query.

cadrija
Path Finder
‎12-05-2021 11:59 PM

The query is giving desired result of 3 host

index=* | table host | stats count by host

cadrija_2-1638777284367.png

First few seconds it is showing correct options on the dashboard filter where the same query has been impemented.

cadrija_0-1638777129547.png

Then it is showing extra options as marked in the snip after few seconds of loading of whole dashboard.

cadrija_1-1638777210038.png

Please help me to resolve this.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2021 03:25 AM

Try limiting the search for your dropdown

<query>index=* sourcetype="WMI:*"| table host | stats count by host</query>

View solution in original post

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎12-06-2021 02:09 AM

What's the search that populates the dropdown?

0 Karma
Reply
Solved! Jump to solution

cadrija
Path Finder
‎12-06-2021 02:44 AM

index=* | table host | stats count by host

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2021 01:32 AM

Look for re-use of token names with your dashboard code. Alternatively, just rename the token being created and used by the dropdown to something else to ensure it is unique.

Reply
Solved! Jump to solution

cadrija
Path Finder
‎12-06-2021 02:28 AM

I renamed the token, it is the only token being used in the entire dashboard.

Still show same result in the filter dropdown options 😔

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2021 02:32 AM

Can you share your entire dashboard code?

Alternatively, save a copy of the code, and start stripping out other parts of the dashboard until the behaviour returns to what you expect. This may help you identify where the odd behaviour is coming from.

Reply
Solved! Jump to solution

cadrija
Path Finder
‎12-06-2021 02:58 AM

@ITWhisperer I have just kept the filter in the dashboard & it is showing correct values, even if I am adding one panel only the garbage values are coming in the filter.

My dashboard code.

<form>
<label>IO Metrics</label>
<fieldset submitButton="true" autoRun="true">
<input type="dropdown" token="server" searchWhenChanged="false">
<label>Host</label>
<search>
<query>index=* | table host | stats count by host</query>
</search>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
</fieldset>
<row>
<panel>
<title>Free Disk Space</title>
<table>
<search>
<query>index=* sourcetype="WMI:FreeDiskSpace" PercentFreeSpace&lt;100 | search host=$server$ | where NOT IN (Name,"_Total","HarddiskVolume1") | eval FreeSpace=(FreeMegabytes/1024) | table host, Name, FreeSpace, PercentFreeSpace | rename host as Host | rename Name as "Drive Name" | rename FreeSpace as "Free Space in GB" | rename PercentFreeSpace as "Free Space in Percentage" | sort by Host, "Drive Name" | sort -_time | dedup Host, "Drive Name"</query>
<earliest>-30m@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">5</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="host">
<colorPalette type="minMidMax" maxColor="#006D9C" minColor="#FFFFFF"></colorPalette>
<scale type="minMidMax"></scale>
</format>
<format type="number" field="FreeSpace"></format>
<format type="number" field="Free Space in GB">
<option name="unit">GB</option>
</format>
<format type="number" field="Free Space in Percentage">
<option name="precision">0</option>
<option name="unit">%</option>
</format>
<format type="color" field="Free Space in GB">
<colorPalette type="minMidMax" maxColor="#FFFFFF" minColor="#DC4E41"></colorPalette>
<scale type="minMidMax" minValue="10"></scale>
</format>
<format type="color" field="Free Space in Percentage">
<colorPalette type="minMidMax" maxColor="#FFFFFF" minColor="#DC4E41"></colorPalette>
<scale type="minMidMax" minValue="10"></scale>
</format>
</table>
</panel>
<panel>
<title>Used Memory</title>
<viz type="region_chart_viz.region_chart_viz">
<search>
<query>index=* sourcetype="WMI:Memory" PercentCommittedBytesInUse&gt;0 | search host=$server$ | rename host as Host | rename PercentCommittedBytesInUse as "Used Space in Percentage" | timechart avg("Used Space in Percentage") as "Used Space in Percentage" by Host | eval regions = "normal=#99D18B,70,Warning=#FCB64E,90,Error=#B50101"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
<option name="region_chart_viz.region_chart_viz.last_text">hide</option>
<option name="region_chart_viz.region_chart_viz.line_color">#000000</option>
<option name="region_chart_viz.region_chart_viz.line_size">3</option>
<option name="region_chart_viz.region_chart_viz.multi_series">colored</option>
<option name="region_chart_viz.region_chart_viz.nulls">connect</option>
<option name="region_chart_viz.region_chart_viz.region_align">center</option>
<option name="region_chart_viz.region_chart_viz.region_opacity">35</option>
<option name="region_chart_viz.region_chart_viz.scaleregion">yes</option>
<option name="region_chart_viz.region_chart_viz.shadow">0</option>
<option name="region_chart_viz.region_chart_viz.status_dots">hide</option>
<option name="region_chart_viz.region_chart_viz.summ_text">hide</option>
<option name="region_chart_viz.region_chart_viz.text_precision">-1</option>
<option name="region_chart_viz.region_chart_viz.text_thousands">no</option>
<option name="region_chart_viz.region_chart_viz.text_unit_position">after</option>
<option name="region_chart_viz.region_chart_viz.type">curve</option>
<option name="region_chart_viz.region_chart_viz.xtitle_nice">yes</option>
<option name="region_chart_viz.region_chart_viz.xtitle_show">show</option>
<option name="region_chart_viz.region_chart_viz.xtitle_text">Time</option>
<option name="region_chart_viz.region_chart_viz.ytitle_show">show</option>
<option name="region_chart_viz.region_chart_viz.ytitle_text">Used Space Percentage</option>
</viz>
</panel>
</row>
<row>
<panel>
<title>CPU Utilization</title>
<viz type="region_chart_viz.region_chart_viz">
<search>
<query>index=* sourcetype="WMI:CPUTime" | search host=$server$ | where IN (Name,"0") | rename host as Host | timechart avg(PercentProcessorTime) as PercentProcessorTime by Host | eval regions = "normal=#99D18B,70,Warning=#FCB64E,90,Error=#B50101"
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">none</option>
<option name="region_chart_viz.region_chart_viz.last_text">hide</option>
<option name="region_chart_viz.region_chart_viz.line_color">#000000</option>
<option name="region_chart_viz.region_chart_viz.line_size">3</option>
<option name="region_chart_viz.region_chart_viz.multi_series">colored</option>
<option name="region_chart_viz.region_chart_viz.nulls">connect</option>
<option name="region_chart_viz.region_chart_viz.region_align">center</option>
<option name="region_chart_viz.region_chart_viz.region_opacity">35</option>
<option name="region_chart_viz.region_chart_viz.scaleregion">yes</option>
<option name="region_chart_viz.region_chart_viz.shadow">0</option>
<option name="region_chart_viz.region_chart_viz.status_dots">hide</option>
<option name="region_chart_viz.region_chart_viz.summ_text">hide</option>
<option name="region_chart_viz.region_chart_viz.text_precision">-1</option>
<option name="region_chart_viz.region_chart_viz.text_thousands">no</option>
<option name="region_chart_viz.region_chart_viz.text_unit_position">after</option>
<option name="region_chart_viz.region_chart_viz.type">curve</option>
<option name="region_chart_viz.region_chart_viz.xtitle_nice">no</option>
<option name="region_chart_viz.region_chart_viz.xtitle_show">show</option>
<option name="region_chart_viz.region_chart_viz.xtitle_text">Time</option>
<option name="region_chart_viz.region_chart_viz.ytitle_show">show</option>
<option name="region_chart_viz.region_chart_viz.ytitle_text">Processor Time Percentage</option>
</viz>
</panel>
</row>
<row>
<panel>
<title>Network Utilization</title>
<table>
<search>
<query>index=* sourcetype="WMI:LocalNetwork" | search host=$server$ | eval Bandwidth=(CurrentBandwidth/1073741824) | eval Received=(BytesReceivedPersec/1024) | eval Sent=(BytesSentPersec/1024) | eval Total=(BytesTotalPersec/1024) | rename host as Host | rename Bandwidth as "Current Bandwidth in GB" | rename Received as "Bytes received persec" | rename Sent as "Bytes sent persec" | rename Total as "Bytes total persec" | table Host, "Current Bandwidth in GB", "Bytes received persec", "Bytes sent persec", "Bytes total persec" | sort by Host | sort -_time | dedup Host</query>
<earliest>-30m@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">5</option>
<option name="drilldown">none</option>
<format type="number" field="Current Bandwidth in GB">
<option name="unit">GB</option>
</format>
<format type="number" field="Bytes received persec">
<option name="unit">KB</option>
</format>
<format type="number" field="Bytes sent persec">
<option name="unit">KB</option>
</format>
<format type="number" field="Bytes total persec">
<option name="unit">KB</option>
</format>
</table>
</panel>
</row>
</form>

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2021 03:25 AM

Try limiting the search for your dropdown

<query>index=* sourcetype="WMI:*"| table host | stats count by host</query>
Reply
Solved! Jump to solution

cadrija
Path Finder
‎12-06-2021 03:45 AM

@ITWhisperer Yes I just applied the same change just a few minutes back & it worked. Then I saw your reply & the solution matched!

I think finally I am getting hold of somethings in Splunk.

Thank you so much 😇

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...