I'm creating a dashboard to help less technical operators evaluate the contents of our indexes so that we can restructure the roles and data access.
This is the source as stands today (the search will be replaced by a report performing the same search once a day):
<form>
<label>Index Investigation Dashboard</label>
<fieldset submitButton="false">
<input type="dropdown" token="index_name" searchWhenChanged="false">
<label>Index</label>
<search>
<query>index=* OR index=_* | stats values(index) AS indexname | eval label=indexname | table indexname, label</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<fieldForLabel>label</fieldForLabel>
<fieldForValue>indexname</fieldForValue>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Hosts and Sources</title>
<search>
<query>index="$index_name$" | eval host_and_source=(host . " | " . source) | stats values(host_and_source) AS "Hosts and Sources"</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>
</row>
</form>
What is absolutely driving me crazy right now is the drop-down is a comma separated string of all of the indexes. I'm not getting discrete values to select, I'm getting a great big string of garbage. WHY?!?
Thank you much this was driving me nuts too, mvexpand sorted my query too.
Try this search instead to populate your dropdown: | tstats count where index=* OR index=_* by index | fields - count | eval label=index
Much faster and with less hair-loss... 😉
And, to actually answer your question: You are getting a comma-separated value list, because of your use of stats values()
, which creates a multi-value field. You should be getting the results you want by changing your search to index=* OR index=_* | stats values(index) AS indexname | mvexpand indexname | eval label=indexname
. Note that you do not need the table command at the end. It actually only hurts you performance-wise.
I would still use tstats, because it goes against metadata instead of having to sift through buckets.
Still doesn't work 😕
I'm just going to type the static values in, this is costing me too much time already
Had the same issue in my form, in one environment the dropdown worked fine with a stats(values) statement, but in a different server environment, the same search produced a comma-separated list. Using mvexpand fixed this for me.
Fair enough. I did test my | tstats query on a sample dashboard, so I was sure it would work before posting. Let us know if you want to make it dynamic at a later time. Happy to take another look.