Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why do Panels show no records when multiple values selected in multiselect input?

gbwilson
Path Finder
‎06-12-2018 09:29 AM

I'm trying to create a dashboard that shows all devices with a certain OS. To start, I have three dashboard panels: one for VMs, one for PCs, and one for physical hosts. I'm using one multiselect input with operating system options to populate each device type panel. I want the panels to dynamically update when one or more operating systems is selected. However, when I pick more than one OS, I get an error on each panel saying "No results found."

How can I use one multiselect token to populate multiple panels when selecting more than one OS?

<form>
  <label>CMS_OS</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="multiselect" token="ostestfield" searchWhenChanged="true">
      <label>OSTEST</label>
      <fieldForLabel>Operating System</fieldForLabel>
      <fieldForValue>Operating System</fieldForValue>
      <search>
        <query>index=cms_pc OR index=cms_vm OR index=cms_host | eval "Operating System"=coalesce(OSVersion,OperatingSystem_Code) | dedup "Operating System"</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <delimiter> OR </delimiter>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>VM OS</title>
      <table>
        <search>
          <query>index=cms_vm OperatingSystem_Code="$ostestfield$" |dedup VM|table VM OperatingSystem_Code | rename OperatingSystem_Code as OS</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>PCs</title>
        <search>
          <query>index=cms_pc OSVersion="$ostestfield$" | dedup DeviceName | table DeviceName OSVersion | rename OSVersion as OS</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Hosts</title>
        <search>
          <query>index=cms_host OperatingSystem_Code="$ostestfield$" | dedup DeviceName | table DeviceName OperatingSystem_Code</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-12-2018 03:24 PM

Okay, here are the first couple of things I notice.

1) In this code you are building a synthetic field value that is not on your underlying records, and then later you are trying to use that nonexistent field to select your records.

     <query>index=cms_pc OR index=cms_vm OR index=cms_host | eval "Operating System"=coalesce(OSVersion,OperatingSystem_Code) | dedup "Operating System"</query>

I'm going to assume that you have defined that somewhere else, or your code should not be working right for ONE selection, let alone multiselects.

2) In this code, you are creating a single multivalue token ...

   <delimiter> OR </delimiter>
   <valuePrefix>"</valuePrefix>
   <valueSuffix>"</valueSuffix>

...with a result that looks like this...

 ( "value1" OR "value2" OR .... OR "value99"  )

...and then later you are trying to use it in this code... 

 index=cms_vm OperatingSystem_Code="$ostestfield$"  | more stuff

...but the resulting substitution is not meaningful to splunk... 

      index=cms_vm OperatingSystem_Code="( "value1" OR "value2" OR ... OR "value99" ) "

... so you need to change your format in two places.

Try changing this... 

   <valuePrefix>"</valuePrefix>

...to this... 

   <valuePrefix>OperatingSystem_Code="</valuePrefix>

...and changing this...

  index=cms_vm OperatingSystem_Code="$ostestfield$"

...to this... 

  index=cms_vm   $ostestfield$

View solution in original post

Reply
Solved! Jump to solution

paritoshs24
Path Finder
‎06-18-2022 02:23 PM 
  index=cms_vm   $ostestfield$

@DalJeanis  @gbwilson 

instead of above command  we can use 

index IN (cms_pc cms_vm cms_host) OperatingSystem_Code IN ($ostestfield$)
0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-12-2018 03:24 PM

Okay, here are the first couple of things I notice.

1) In this code you are building a synthetic field value that is not on your underlying records, and then later you are trying to use that nonexistent field to select your records.

     <query>index=cms_pc OR index=cms_vm OR index=cms_host | eval "Operating System"=coalesce(OSVersion,OperatingSystem_Code) | dedup "Operating System"</query>

I'm going to assume that you have defined that somewhere else, or your code should not be working right for ONE selection, let alone multiselects.

2) In this code, you are creating a single multivalue token ...

   <delimiter> OR </delimiter>
   <valuePrefix>"</valuePrefix>
   <valueSuffix>"</valueSuffix>

...with a result that looks like this...

 ( "value1" OR "value2" OR .... OR "value99"  )

...and then later you are trying to use it in this code... 

 index=cms_vm OperatingSystem_Code="$ostestfield$"  | more stuff

...but the resulting substitution is not meaningful to splunk... 

      index=cms_vm OperatingSystem_Code="( "value1" OR "value2" OR ... OR "value99" ) "

... so you need to change your format in two places.

Try changing this... 

   <valuePrefix>"</valuePrefix>

...to this... 

   <valuePrefix>OperatingSystem_Code="</valuePrefix>

...and changing this...

  index=cms_vm OperatingSystem_Code="$ostestfield$"

...to this... 

  index=cms_vm   $ostestfield$
Reply
Solved! Jump to solution

gbwilson
Path Finder
‎06-13-2018 06:05 AM

Thank you for your help. New to Splunk and your answer explained everything very clearly. I really appreciate it.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...