Dashboards & Visualizations

Drop-down not populating with right values based on 1st drop-down and doesn't restore to defaults

nmohammed
Contributor

I have two drop-downs: one for clientid and another one for the host. While I am running a regex real-time to pull the host field, as it is not extracted due to the log inputs being from a single shared location.

The host field should get populated based on the clientid selected in the first drop-down, also doesn't restore the defaults. I am attaching the XML.

Encompass Service Review Dashboard
Application and Infrastructure Performance

<input type="time" token="time" searchWhenChanged="false">
  <label>Select Time Range</label>
  <default>
    <earliestTime>-15m</earliestTime>
    <latestTime>now</latestTime>
  </default>
</input>
<input type="dropdown" token="clientid">
  <label>Select Client ID</label>
  <choice value="*">All</choice>
  <search>
    <query>| inputlookup clientid.csv | dedup clientid  | eval c = clientid+" - "+client_name | table c, clientid | sort c</query>
    <earliest>-1d@d</earliest>
    <latest>@d</latest>
  </search>
  <fieldForLabel>c</fieldForLabel>
  <fieldForValue>clientid</fieldForValue>
</input>
<input type="dropdown" token="span" searchWhenChanged="false">
  <label>Select Time Intervals</label>
  <choice value="5m">5 Minutes</choice>
  <choice value="15m">15 Minutes</choice>
  <choice value="30m">30 Minutes</choice>
  <choice value="1h">1 Hour</choice>
  <choice value="1d">1 Day</choice>
  <choice value="30d">1 Month</choice>
  <choice value="1m">1 Minute</choice>
  <choice value="30s">30 Seconds</choice>
  <choice value="1s">1 Second</choice>
</input>
<input type="dropdown" token="host" searchWhenChanged="true">
  <label>Server</label>
  <search>
    <query>index="e_logs" clientid=1111111  earliest=-1d@d  |  rex field=source "Server.[A-Za-z0-9]*.(?P<host>[^\.]+)"    | stats count by hostr</query>
    <earliest>0</earliest>
    <latest></latest>
  </search>
  <fieldForLabel>host</fieldForLabel>
  <fieldForValue>host</fieldForValue>
  <choice value="*">All</choice>
</input>


<panel>
  <chart>
    <title>CPU Utilization</title>
    <search>
      <query>index="perfmon" sourcetype="Perfmon:CPUTime" host=$host$ | bucket _time span=$span$ | timechart avg(Value)</query>
      <earliest>$time.earliest$</earliest>
      <latest>$time.latest$</latest>
    </search>
    <option name="charting.chart">column</option>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.showDataLabels">none</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">right</option>
  </chart>
</panel>
<panel>
  <chart>
    <title>Memory Utilization</title>
    <search>
      <query>index=perfmon sourcetype="Perfmon:Memory" counter="Committed Bytes" host=$host$ | eval AMB=Value/(1024*1024) |bucket _time span=$span$ | stats avg(AMB) as "Used(MB)" by _time | appendcols [search index=perfmon sourcetype="Perfmon:Memory" counter="Available MBytes" host=$host$ | bucket _time span=$span$ | stats avg(Value) as "AvailableMem(MB)" by _time] | table _time, AvailableMem(MB), Used(MB)</query>
      <earliest>$time.earliest$</earliest>
      <latest>$time.latest$</latest>
    </search>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">area</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.showDataLabels">none</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">right</option>
  </chart>
</panel>
<panel>

The second drop-down is the server field, which is not working. Based on this the :

  <label>Server</label>
  <search>
    <query>index="e_logs" clientid=111111  earliest=-1d@d  |  rex field=source "Server.[A-Za-z0-9]*.(?P<host>[^\.]+)"    | stats count by host</query>
    <earliest>0</earliest>
    <latest></latest>
  </search>
  <fieldForLabel>host</fieldForLabel>
  <fieldForValue>host</fieldForValue>
  <choice value="*">All</choice>
</input>


<panel>

The charts for CPU and Memory are based on this "host" field that gets populated in the drop-down. I am unable to get it dynamically passed in the CPU and Memory charts , as the perfmon data is from a different index and the host field is coming from a different index.

Please advise on this. Appreciate your help.!!!

0 Karma

gokadroid
Motivator

There are two things:

1) In your original xml you have a typo in query, hostr rather than host

     index="e_logs" clientid=1111111  earliest=-1d@d  |  rex field=source "Server.[A-Za-z0-9]*.(?P[^\.]+)"    | stats count by hostr

2) In the second extract of xml for the second dropdown, even though the query is correct how is it supposed to change at runtime when you have hardcoded the clientid=111111 *. Can you change it to *$clientid$ the token that get passed on from the first dropdown.

So basically whatever is your token being passed from first search, I am taking it as $clientid$, use that in the search of second drop down:

 
index="e_logs" clientid=$clientid$ earliest=-1d@d | rex field=source "Server.[A-Za-z0-9]*.(?P[^.]+)" | stats count by host

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...