- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- One choice, multiple values
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
I'm trying to build a dashboard that searches two different indexes/sourcetypes using values from a dropdown.
Let's say I have a drop down with sites that sells different products:
Dropdown:
Apples
Pears
Oranges
When choosing "apples" and submitting I want the dashboard to show IIS logs from the apples web sites in one panel, and also firewall traffic to the apples site in another panel.
Since they're in different indexes and sourcetypes with different kind of distinguishers I was wondering if there was a way of storing multiple values in one choice (warning for crappy code), ie:
<input type="dropdown" token="producttype">
<label>Brand:</label>
<choice value1="Apples" value2="tcp_port=5000">Apples</choice>
<choice value1="Pears" value2="tcp_port=6000">Pears</choice>
<choice value1="Oranges" value2="tcp_port=7000">Oranges</choice>
<default>Choose a brand</default>
</input>
Hope that was somewhat clear?
Kind regards,
Patrik
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instead of trying to specify multiple values in your form (which may need updating as you start adding panels (say next they want database performance logs for each)). I would actually take the approach of returning a single value (apple,pear,orange).
That single value instead of specifying the exact values to look for instead you use as a (partial) selector for Tags or Eventtypes that you have build to contain the properties needed to select the data you want in each.
In your example above (and obviously I'm making up some additional information around the scenario for lack of knowledge of your exact scenario), lets say that you build event types:
apple_iis: sourcetype=iis Apples
pear_iis: sourcetype=iis Pears
orange_iis: sourcetype=iis Oranges
And the following tags:
apple: tcp_port=5000
pear: tcp_port=6000
orange: tcp_port=7000
Then your panel for IIS logs could search for:
index=iis eventtype=$producttype$_iis
and your panel for firewall logs could search for example:
index=fw tag::tcp_port=$producttype$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instead of trying to specify multiple values in your form (which may need updating as you start adding panels (say next they want database performance logs for each)). I would actually take the approach of returning a single value (apple,pear,orange).
That single value instead of specifying the exact values to look for instead you use as a (partial) selector for Tags or Eventtypes that you have build to contain the properties needed to select the data you want in each.
In your example above (and obviously I'm making up some additional information around the scenario for lack of knowledge of your exact scenario), lets say that you build event types:
apple_iis: sourcetype=iis Apples
pear_iis: sourcetype=iis Pears
orange_iis: sourcetype=iis Oranges
And the following tags:
apple: tcp_port=5000
pear: tcp_port=6000
orange: tcp_port=7000
Then your panel for IIS logs could search for:
index=iis eventtype=$producttype$_iis
and your panel for firewall logs could search for example:
index=fw tag::tcp_port=$producttype$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I get what you mean. Need to read more about tags, but that should do it. Thanks!
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
