I have two drop-downs: one for clientid and another one for the host. While I am running a regex real-time to pull the host field, as it is not extracted due to the log inputs being from a single shared location.
The host field should get populated based on the clientid selected in the first drop-down, also doesn't restore the defaults. I am attaching the XML.
Encompass Service Review Dashboard
Application and Infrastructure Performance
<input type="time" token="time" searchWhenChanged="false">
<label>Select Time Range</label>
<default>
<earliestTime>-15m</earliestTime>
<latestTime>now</latestTime>
</default>
</input>
<input type="dropdown" token="clientid">
<label>Select Client ID</label>
<choice value="*">All</choice>
<search>
<query>| inputlookup clientid.csv | dedup clientid | eval c = clientid+" - "+client_name | table c, clientid | sort c</query>
<earliest>-1d@d</earliest>
<latest>@d</latest>
</search>
<fieldForLabel>c</fieldForLabel>
<fieldForValue>clientid</fieldForValue>
</input>
<input type="dropdown" token="span" searchWhenChanged="false">
<label>Select Time Intervals</label>
<choice value="5m">5 Minutes</choice>
<choice value="15m">15 Minutes</choice>
<choice value="30m">30 Minutes</choice>
<choice value="1h">1 Hour</choice>
<choice value="1d">1 Day</choice>
<choice value="30d">1 Month</choice>
<choice value="1m">1 Minute</choice>
<choice value="30s">30 Seconds</choice>
<choice value="1s">1 Second</choice>
</input>
<input type="dropdown" token="host" searchWhenChanged="true">
<label>Server</label>
<search>
<query>index="e_logs" clientid=1111111 earliest=-1d@d | rex field=source "Server.[A-Za-z0-9]*.(?P<host>[^\.]+)" | stats count by hostr</query>
<earliest>0</earliest>
<latest></latest>
</search>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<choice value="*">All</choice>
</input>
<panel>
<chart>
<title>CPU Utilization</title>
<search>
<query>index="perfmon" sourcetype="Perfmon:CPUTime" host=$host$ | bucket _time span=$span$ | timechart avg(Value)</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
<panel>
<chart>
<title>Memory Utilization</title>
<search>
<query>index=perfmon sourcetype="Perfmon:Memory" counter="Committed Bytes" host=$host$ | eval AMB=Value/(1024*1024) |bucket _time span=$span$ | stats avg(AMB) as "Used(MB)" by _time | appendcols [search index=perfmon sourcetype="Perfmon:Memory" counter="Available MBytes" host=$host$ | bucket _time span=$span$ | stats avg(Value) as "AvailableMem(MB)" by _time] | table _time, AvailableMem(MB), Used(MB)</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">area</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
<panel>
The second drop-down is the server field, which is not working. Based on this the :
<label>Server</label>
<search>
<query>index="e_logs" clientid=111111 earliest=-1d@d | rex field=source "Server.[A-Za-z0-9]*.(?P<host>[^\.]+)" | stats count by host</query>
<earliest>0</earliest>
<latest></latest>
</search>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<choice value="*">All</choice>
</input>
<panel>
The charts for CPU and Memory are based on this "host" field that gets populated in the drop-down. I am unable to get it dynamically passed in the CPU and Memory charts , as the perfmon data is from a different index and the host field is coming from a different index.
Please advise on this. Appreciate your help.!!!
There are two things:
1) In your original xml you have a typo in query, hostr rather than host
index="e_logs" clientid=1111111 earliest=-1d@d | rex field=source "Server.[A-Za-z0-9]*.(?P [^\.]+)" | stats count by hostr
2) In the second extract of xml for the second dropdown, even though the query is correct how is it supposed to change at runtime when you have hardcoded the clientid=111111 *. Can you change it to *$clientid$ the token that get passed on from the first dropdown.
So basically whatever is your token being passed from first search, I am taking it as $clientid$, use that in the search of second drop down:
index="e_logs" clientid=$clientid$ earliest=-1d@d | rex field=source "Server.[A-Za-z0-9]*.(?P[^.]+)" | stats count by host