Hi Goka ,
Based on choosing option dynamically from dropdown list , i created an indexer "tripleabc" and sourcetype is "eventscount" which contains CISCO , Microsoft and Checkpoint as device vendor field alerts or data . I used your input :-
EVENT INPUT THROUGH DASHBOARD15.
<input type="dropdown" token="device_vendor" searchWhenChanged="true">
<label>device_vendor</label>
<search>
<query> index="tripleabc" earliest=-20d sourcetype="eventscount" | stats count by device_vendor </query>
</search>
<fieldForLabel>device_vendor</fieldForLabel>
<fieldForValue>device_vendor</fieldForValue>
</input>
<input type="dropdown" token="device_product" searchWhenChanged="true">
<label>device_product</label>
<search>
<query>index= "tripleabc" earliest=-20d sourcetype= "eventscount" $device_vendor$ | stats count by device_product</query>
</search>
<fieldForLabel>device_product</fieldForLabel>
<fieldForValue>device_product</fieldForValue>
</input>
<panel>
<title>EVENT DISPLAY AS PER SELECTION</title>30.<table>
<title>EVENT DATA DISPLAY</title>
<search>20.
<query>
index= "tripleabc" sourcetype= "eventscount" $device_vendor$ | stats count by device_product
</query>
<earliest>-20d</earliest>
<latest></latest>
</search>25.<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
However , the search produces no results . I just want in device vendor list ( CISCO , Checkpoint and Windows ) and in device product (ASA , Firewall , Microsoft Win) and on selection of CISCO from device vendor dropdown i should get only ASA in device product and on selection :-
I should get the statistics table depicting the alerts for last 24 hrs or 48 hrs .
Please suggest on the same . Code is attached for your reference .
Regards ,
Sanyam
... View more