How to search search indexes based on application ...

KSKandala · ‎06-22-2016

Hi,

Currently I am consolidating data from different indexes.

index=application1 ID=$id$ | rename application1_id as ID | TABLE ID, STATUS | append [search 
index=application2 ID=$id$ | rename application2_id as ID | TABLE ID, STATUS | append [search 
index=application3 ID=$id$ | rename application3_id as ID | TABLE ID, STATUS]

Now I want to provide a checkbox for users to choose applications they want to search.

Ex: If a user selects application1 and 3, then application2 search should not get execute.

I have tried different options with eval(), but not getting any output. Please provide the recommended way!

somesoni2 · ‎06-22-2016

Try like this

<form>
....
 <fieldset>
  <input type="checkbox" token="application">
    <choice value="application1">Application1</choice>
    <choice value="application2">Application2</choice>
    <choice value="application3">Application3</choice>
    <delimiter> OR index=</delimiter>
    <prefix>index=</prefix>
    <suffix>)</suffix>
    <valuePrefix>"</valuePrefix>
    <valueSuffix>"</valueSuffix>
  </input>
</fieldset>
<row>
    <panel>
      <table>
        <title>Top source types in the last 24 hours</title>
        <search>
          <query>
         $application$ | eval ID=coalesce(application1_id,application2_id,application3_id) | search ID=$id$ | table ID STATUS
          </query>
          <earliest>-24h</earliest>
          <latest>now</latest>
        </search>
        <option name="count">5</option>
        <option name="rowNumbers">0</option>
      </table>
    </panel>
  </row>
</form>

How to search search indexes based on application selection from a checkbox input and append results?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!