Dashboards & Visualizations

Why do Panels show no records when multiple values selected in multiselect input?

gbwilson
Path Finder

I'm trying to create a dashboard that shows all devices with a certain OS. To start, I have three dashboard panels: one for VMs, one for PCs, and one for physical hosts. I'm using one multiselect input with operating system options to populate each device type panel. I want the panels to dynamically update when one or more operating systems is selected. However, when I pick more than one OS, I get an error on each panel saying "No results found."

How can I use one multiselect token to populate multiple panels when selecting more than one OS?

<form>
  <label>CMS_OS</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="multiselect" token="ostestfield" searchWhenChanged="true">
      <label>OSTEST</label>
      <fieldForLabel>Operating System</fieldForLabel>
      <fieldForValue>Operating System</fieldForValue>
      <search>
        <query>index=cms_pc OR index=cms_vm OR index=cms_host | eval "Operating System"=coalesce(OSVersion,OperatingSystem_Code) | dedup "Operating System"</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
      <delimiter> OR </delimiter>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>VM OS</title>
      <table>
        <search>
          <query>index=cms_vm OperatingSystem_Code="$ostestfield$" |dedup VM|table VM OperatingSystem_Code | rename OperatingSystem_Code as OS</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>PCs</title>
        <search>
          <query>index=cms_pc OSVersion="$ostestfield$" | dedup DeviceName | table DeviceName OSVersion | rename OSVersion as OS</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Hosts</title>
        <search>
          <query>index=cms_host OperatingSystem_Code="$ostestfield$" | dedup DeviceName | table DeviceName OperatingSystem_Code</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
Labels (1)
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Okay, here are the first couple of things I notice.

1) In this code you are building a synthetic field value that is not on your underlying records, and then later you are trying to use that nonexistent field to select your records.

     <query>index=cms_pc OR index=cms_vm OR index=cms_host | eval "Operating System"=coalesce(OSVersion,OperatingSystem_Code) | dedup "Operating System"</query>

I'm going to assume that you have defined that somewhere else, or your code should not be working right for ONE selection, let alone multiselects.

2) In this code, you are creating a single multivalue token ...

   <delimiter> OR </delimiter>
   <valuePrefix>"</valuePrefix>
   <valueSuffix>"</valueSuffix>

...with a result that looks like this...

 ( "value1" OR "value2" OR .... OR "value99"  )

...and then later you are trying to use it in this code...

 index=cms_vm OperatingSystem_Code="$ostestfield$"  | more stuff

...but the resulting substitution is not meaningful to splunk...

      index=cms_vm OperatingSystem_Code="( "value1" OR "value2" OR ... OR "value99" ) "

... so you need to change your format in two places.

Try changing this...

   <valuePrefix>"</valuePrefix>

...to this...

   <valuePrefix>OperatingSystem_Code="</valuePrefix>

...and changing this...

  index=cms_vm OperatingSystem_Code="$ostestfield$" 

...to this...

  index=cms_vm   $ostestfield$ 

View solution in original post

paritoshs24
Path Finder
  index=cms_vm   $ostestfield$ 

@DalJeanis  @gbwilson 

instead of above command  we can use 

index IN (cms_pc cms_vm cms_host) OperatingSystem_Code IN ($ostestfield$)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Okay, here are the first couple of things I notice.

1) In this code you are building a synthetic field value that is not on your underlying records, and then later you are trying to use that nonexistent field to select your records.

     <query>index=cms_pc OR index=cms_vm OR index=cms_host | eval "Operating System"=coalesce(OSVersion,OperatingSystem_Code) | dedup "Operating System"</query>

I'm going to assume that you have defined that somewhere else, or your code should not be working right for ONE selection, let alone multiselects.

2) In this code, you are creating a single multivalue token ...

   <delimiter> OR </delimiter>
   <valuePrefix>"</valuePrefix>
   <valueSuffix>"</valueSuffix>

...with a result that looks like this...

 ( "value1" OR "value2" OR .... OR "value99"  )

...and then later you are trying to use it in this code...

 index=cms_vm OperatingSystem_Code="$ostestfield$"  | more stuff

...but the resulting substitution is not meaningful to splunk...

      index=cms_vm OperatingSystem_Code="( "value1" OR "value2" OR ... OR "value99" ) "

... so you need to change your format in two places.

Try changing this...

   <valuePrefix>"</valuePrefix>

...to this...

   <valuePrefix>OperatingSystem_Code="</valuePrefix>

...and changing this...

  index=cms_vm OperatingSystem_Code="$ostestfield$" 

...to this...

  index=cms_vm   $ostestfield$ 

gbwilson
Path Finder

Thank you for your help. New to Splunk and your answer explained everything very clearly. I really appreciate it.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...