Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to add a textbox value to a multiselect input in order to filter out all values selected in multiselect

pevniacik
Engager
2 weeks ago

Hi, I'd like to use a text box input field to add a string value into a multiselect in order to use multiselect token to filter out values currently in multiselect (with true) for each search query I use

<input type="text" token="filter_out_text_input" id="filter_out_text_input">
<label>Enter a log event you want to filter out</label>
<prefix>"*</prefix>
<suffix>*"</suffix>
</input>
<input type="multiselect" token="filter_out_option" id="filter_out_option">
<label>List to filter out log events</label>
<valuePrefix>NOT "*</valuePrefix>
<valueSuffix>*"</valueSuffix>
<delimiter> OR </delimiter>
</input>

 

.

.

.

<title>$app$ Error Frequency</title>
<chart>
<search>
<query>index="$app$-$env$" logLevel="ERROR" $filter_out_option$ $filter_out_text_input$
| eval filter_out_option="$filter_out_option$"
| where isnotnull(filter_out_option) AND filter_out_option!=""
| eval filter_out_text_input="$filter_out_text_input$"
| where isnotnull(filter_out_text_input) AND filter_out_text_input!=""
| multikv | eval ReportKey="error rate"
| timechart span=30m count by ReportKey</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
<sampleRatio>1</sampleRatio>
<refresh>1m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="charting.chart">area</option>
<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">1</option>
<option name="refresh.display">progressbar</option>
</chart>

 

I would like to filter out error strings for the above search 

Thanks in advance

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
2 weeks ago

@pevniacik ,

Are you looking for something like this ?

Test by selecting few projects and add a text "Error" to the text box to filter

<form version="1.1" theme="light">
  <label>MultiSelect_Text</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="Project">
      <label>Project</label>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
      <fieldForLabel>Project</fieldForLabel>
      <fieldForValue>Project</fieldForValue>
      <search>
        <query>|makeresults count=5|streamstats count |eval Project="Project".count|eval Record="Some records "|eval Record=if(count%2==0,Record,Record."Error")</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="text" token="text_filter" searchWhenChanged="true">
      <label>Text to Filter</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults count=5|streamstats count |eval Project="Project".count|eval Record="Some records "|eval Record=if(count%2==0,Record,Record."Error")
|where Project in ($Project$) AND NOT like (Record,"%$text_filter$%")</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution

pevniacik
Engager
2 weeks ago

thank you @renjith_nair  this is fine for what I need 

 

0 Karma
Reply
Solved! Jump to solution

pevniacik
Engager
2 weeks ago

It seems there might be a misunderstanding. I'd prefer to steer clear of utilizing the makeresults command. My aim is to pinpoint a particular index (application) within a specific environment and gather all events categorized as errors or warnings.

Ideally, I'd like these events consolidated into a single location for ease of review. However, not all errors or warnings are pertinent to my needs. Therefore, I'd like to implement a filter mechanism where I can selectively exclude events by inputting a portion of the log message body into a text box. This text input would then be added to a multi-select feature, enabling me to filter out undesired events effectively.

I'd then use a token of a multi-select input and use that token in queries I already have....
See the Dashboard I provided you 

Thank you in advance

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
2 weeks ago

@pevniacik ,

makeresults are for me to create dummy events. It does not matter which search or values you use. What we need to look is whether the logic works for you. In this case, does the logic provided in the sample works for you with the checkbox and text input? If not, based on the sample dashboard what changes you foresee?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

pevniacik
Engager
2 weeks ago

@renjith_nair  not exactly

Currently,  I am using checkbox type to filter out error log events and those need to be pre-defined already

see the whole dashboard

<form theme="light">
<label>LDP Apps monitoring</label>
<fieldset submitButton="false" autoRun="false">
<input type="dropdown" token="app" searchWhenChanged="true">
<label>Application</label>
<choice value="app_1">App 1</choice>
<choice value="app_2">App 2</choice>
<choice value="app_3">App 3</choice>
<default>App 1</default>
<initialValue>App 1</initialValue>
</input>
<input type="dropdown" token="env" searchWhenChanged="true">
<label>Environment</label>
<choice value="qa">QA</choice>
<choice value="uat">UAT</choice>
<choice value="prod">PROD</choice>
<default>prod</default>
<initialValue>prod</initialValue>
</input>
<input type="time" token="time_range">
<label>Time Period</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="search_input" id="search_input" searchWhenChanged="true">
<label>Search for a certain log message</label>
</input>
<html>
<style>
div[id^="search_input"]{
width: 1000px !important;
}
</style>
</html>
<input type="checkbox" token="selected" searchWhenChanged="true" id="checkboxes">
<label>Filter out frequent errors:</label>
<choice value="AND NOT &quot;Error Log Message 1 to filter out&quot;">Error Log Message 1 to filter out</choice>
<choice value="AND NOT &quot;Error Log Message 2 to filter out&quot;">Error Log Message 2 to filter out</choice>
<choice value="AND NOT &quot;Error Log Message 3 to filter out&quot;">Error Log Message 3 to filter out</choice>
<choice value="AND NOT &quot;Error Log Message 4 to filter out&quot;">Error Log Message 4 to filter out</choice>
<delimiter> </delimiter>
<default></default>
</input>
<html>
<style>
div[id^="checkboxes"]{
width: 1000px !important;
}
</style>
</html>
</fieldset>
<row>
<panel>
<title>$app$ Access logs - status code</title>
<chart>
<title>**hardcoded time period</title>
<search>
<query>index="$app$-$env$" access_log status_code!="20*"
| timechart span=10m count by status_code</query>
<earliest>-3d</earliest>
<latest>now</latest>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">1</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>$app$ Error Frequency</title>
<chart>
<search>
<query>index="$app$-$env$" logLevel="ERROR" $selected$
| multikv | eval ReportKey="error rate"
| timechart span=30m count by ReportKey</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
<sampleRatio>1</sampleRatio>
<refresh>1m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="charting.chart">area</option>
<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">1</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>$app$ Specific Error Logs</title>
<table>
<search>
<query>index="$app$-$env$" logLevel="ERROR" $selected$
| rex mode=sed "s:&lt;1512&gt;:\n:g"
| bucket _time span=5m
| table _time, logName, logLevel, _raw | sort -_time</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
<sampleRatio>1</sampleRatio>
<refresh>1m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>$app$ WARN Frequency</title>
<chart>
<search>
<query>index="$app$-$env$" logLevel="WARN" $selected$
| multikv | eval ReportKey="warn rate"
| timechart span=30m count by ReportKey</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
<sampleRatio>1</sampleRatio>
<refresh>1m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="charting.chart">area</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>$app$ Warn Messages</title>
<table>
<search>
<query>index="$app$-$env$" logLevel="WARN" $selected$
| rex mode=sed "s:&lt;1512&gt;:\n:g"
| bucket _time span=5m
| table _time, logName, logLevel, _raw | sort -_time</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
<refresh>1m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="logLevel">
<colorPalette type="list">[#53A051,#006D9C,#F8BE34,#F1813F,#DC4E41]</colorPalette>
<scale type="threshold">0,30,70,100</scale>
</format>
</table>
</panel>
</row>
<row>
<panel>
<title>Specific log event search</title>
<chart>
<title>**Copy a log message to search for an error log history, hardcoded time period</title>
<search>
<query>index="$app$-$env$" "$search_input$"
| eval search_input="$search_input$"
| where isnotnull(search_input) AND search_input!=""
| multikv | eval ReportKey="searched_event"
| timechart span=30m count by ReportKey</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.drilldown">all</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
</form>




I want to use text box input type to add a specific error message string in to multiselect and that multiselect will be placed to each query provided above 

so can filter out a certain events without having them specified in checkboxes 

Also I want to use an empty multiselect as default each time a dashboard is loaded

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
2 weeks ago

So you want to use a checkbox and not a multiselect. Both are different in splunk context.

Here is the updated one. You can leave the checkbox and just filter in the text box or you can select the check box and the filter

<form version="1.1" theme="light">
  <label>CheckBox_Text</label>
  <fieldset submitButton="false">
    <input type="checkbox" token="exclude" searchWhenChanged="true" id="checkbox">
      <label>Select to exclude</label>
      <fieldForLabel>Project</fieldForLabel>
      <fieldForValue>Project</fieldForValue>
      <search>
        <query>|makeresults count=5|streamstats count |eval Project="Project".count|eval Record="Some records "|eval Record=if(count%2==0,Record,Record."Error")</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> ,</delimiter>
      <prefix>AND NOT Project IN (</prefix>
      <suffix>)</suffix>
      <default>""</default>
    </input>
    <input type="text" token="text_filter" searchWhenChanged="true">
      <label>Text to Filter</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults count=5|streamstats count |eval Project="Project".count|eval Record="Some records "|eval Record=if(count%2==0,Record,Record."Error")
|where NOT like (Record,"%$text_filter$%")  $exclude$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
2 weeks ago

@pevniacik ,

Are you looking for something like this ?

Test by selecting few projects and add a text "Error" to the text box to filter

<form version="1.1" theme="light">
  <label>MultiSelect_Text</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="Project">
      <label>Project</label>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
      <fieldForLabel>Project</fieldForLabel>
      <fieldForValue>Project</fieldForValue>
      <search>
        <query>|makeresults count=5|streamstats count |eval Project="Project".count|eval Record="Some records "|eval Record=if(count%2==0,Record,Record."Error")</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="text" token="text_filter" searchWhenChanged="true">
      <label>Text to Filter</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults count=5|streamstats count |eval Project="Project".count|eval Record="Some records "|eval Record=if(count%2==0,Record,Record."Error")
|where Project in ($Project$) AND NOT like (Record,"%$text_filter$%")</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...