Re: Dashboard Drop Down Group of Servers Environme...

Ram2

We have a dashboard, where we want to add few hosts in a drop down. I tried using single host in a drop down its working, but when we add multiple hosts it showing syntax error(invalid attribute.)

DEV
amptams.dev.com
ampvitss.dev.com
ampdoctrc.dev.com

SIT
ampastdmsg.dev.com
ampmorce.dev.com
ampsmls.dev.com

UAT
ampserv.dev.com
ampasoomsg.dev.com

SYS
ampmsdser.dev.com
ampastcol.dev.com

Dashboard xml

<form version="1.1" theme="light">
<label>Dashboard</label>
<fieldset submitButton="false">
<input type="time" token="timepicker">
<label>TimeRange</label>
<default>
<earliest>-15m@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="Server">
<label>Env wise hosts</label>
<choice value="amptams.dev.com">ENVINORMENT-DEV</choice>
<choice value="ampastdmsg.dev.com">ENVINORMENT-SIT</choice>
<choice value="ampserv.dev.com">ENVINORMENT-UAT</choice>
<choice value="ampmsdser.dev.com">ENVINORMENT-SYS</choice>>
</fieldset>
<row>
<panel>
<table>
<title>Incoming Count &amp; Total Count</title>
<search>
<query>index=app-index source=application.logs $Server$
|rex field= _raw "application :\s(?<Application>\w+)"
| rex field= _raw "(?<Msgs>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)"
|chart count over Application by Msgs
|rename "Initial message received with below details" as Income, "Letter published correctley to ATM subject" as  ATM, "Letter published correctley to DMM subject" as DMM, "Letter rejected due to: DOUBLE_KEY" as Reject, "Letter rejected due to: UNVALID_LOG" as Rej_log, "Letter rejected due to: UNVALID_DATA_APP" as Rej_app 
|table Income Rej_app ATM DMM Reject Rej_log Rej_app
</query>
<earliest>timepicker.earliest</earliest>
<latest>timepicker.latest</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentageRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<form>

gcusello

Hi @Ram2,

In the code you shared there are some missing parts.

the, these aren't few hosts so I hint to use a lookup containing two columns:

env
host

like the folowing:

env host
DEV amptams.dev.com
DEV ampvitss.dev.com
DEV ampdoctrc.dev.com
SIT ampastdmsg.dev.com
SIT ampmorce.dev.com
SIT ampsmls.dev.com
UAT ampserv.dev.com
UAT ampasoomsg.dev.com
SYS ampmsdser.dev.com
SYS ampastcol.dev.com

(remember to create also the Lookup Definition).

in this way you could use in cascade two dropdown lists in this way:

<form version="1.1" theme="light">
    <label>Dashboard</label>
    <fieldset submitButton="false">
        <input type="time" token="timepicker">
            <label>TimeRange</label>
            <default>
                <earliest>-15m@m</earliest>
                <latest>now</latest>
            </default>
        </input>
        <input type="dropdown" token="env">
            <label>Environment</label>
            <choice value="*">All</choice>
            <prefix>env="</prefix>
            <suffix>"</suffix>
            <default>*</default>
            <fieldForLabel>env</fieldForLabel>
            <fieldForValue>env</fieldForValue>
          <search>
              <query>
                  | inputlookup perimeter.csv
                  | dedup env
                  | sort env
                  | table env
              </query>
          </search>
    </input>
    <input type="dropdown" token="host">
        <label>Server</label>
        <choice value="*">All</choice>
        <prefix>host="</prefix>
        <suffix>"</suffix>
        <default>*</default>
        <fieldForLabel>host</fieldForLabel>
        <fieldForValue>host</fieldForValue>
        <search>
            <query>
                | inputlookup perimeter.csv WHERE $env$
                | dedup host
                | sort host
                | table host
            </query>
        </search>
    </input>
</fieldset>
    <row>
        <panel>
            <table>
                <title>Incoming Count &amp; Total Count</title>
                <search>
                    <query>
                        index=app-index 
                        source=application.logs 
                        $env$ 
                        $host$ 
                        (
                            "Initial message received with below details" OR
                            "Letter published correctley to ATM subject" OR 
                            "Letter published correctley to DMM subject" OR 
                            "Letter rejected due to: DOUBLE_KEY" OR 
                            "Letter rejected due to: UNVALID_LOG" OR 
                            "Letter rejected due to: UNVALID_DATA_APP"
                         )
                        | rex field= _raw "application :\s(?<Application>\w+)"
                        | rex field= _raw "(?<Msgs>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)"
                        | chart count over Application by Msgs
                        | rename 
                            "Initial message received with below details" AS Income,
                            "Letter published correctley to ATM subject" AS  ATM, 
                            "Letter published correctley to DMM subject" AS DMM, 
                            "Letter rejected due to: DOUBLE_KEY" AS Reject, 
                            "Letter rejected due to: UNVALID_LOG" AS Rej_log, 
                            "Letter rejected due to: UNVALID_DATA_APP" AS Rej_app 
                        | table 
                            Income Rej_app ATM DMM Reject Rej_log Rej_app
                    </query>
                    <earliest>timepicker.earliest</earliest>
                    <latest>timepicker.latest</latest>
                    <sampleRatio>1</sampleRatio>
                </search>
                <option name="count">20</option>
                <option name="dataOverlayMode">none</option>
                <option name="drilldown">none</option>
                <option name="percentageRow">false</option>
                <option name="refresh.display">progressbar</option>
                <option name="rowNumbers">false</option>
                <option name="totalsRow">false</option>
                <option name="wrap">true</option>
            </table>
        </panel>
    </row>
<form>

Ciao.

Giuseppe

Ram2

Hi @gcusello , thank you so much the solution which you gave works perfectly. But We don't have role to upload lookup files

we are planning to reduce the number of hosts list like each env has 2 hosts so in this scenario how to get this done pls suggest???

gcusello

Hi @Ram2 ,

in this case (having only two hosts, please try this:

<form version="1.1" theme="light">
    <label>Dashboard</label>
    <fieldset submitButton="false">
        <input type="time" token="timepicker">
            <label>TimeRange</label>
            <default>
                <earliest>-15m@m</earliest>
                <latest>now</latest>
            </default>
        </input>
    <input type="dropdown" token="host">
        <label>Server</label>
        <choice value="*">All</choice>
        <choice value="host1">host1</choice>
        <choice value="host2">host2</choice>
        <prefix>host="</prefix>
        <suffix>"</suffix>
        <default>*</default>
        <fieldForLabel>host</fieldForLabel>
        <fieldForValue>host</fieldForValue>
        <search>
            <query>
            </query>
        </search>
    </input>
</fieldset>
    <row>
        <panel>
            <table>
                <title>Incoming Count &amp; Total Count</title>
                <search>
                    <query>
                        index=app-index 
                        source=application.logs 
                        $host$ 
                        (
                            "Initial message received with below details" OR
                            "Letter published correctley to ATM subject" OR 
                            "Letter published correctley to DMM subject" OR 
                            "Letter rejected due to: DOUBLE_KEY" OR 
                            "Letter rejected due to: UNVALID_LOG" OR 
                            "Letter rejected due to: UNVALID_DATA_APP"
                         )
                        | rex field= _raw "application :\s(?<Application>\w+)"
                        | rex field= _raw "(?<Msgs>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)"
                        | chart count over Application by Msgs
                        | rename 
                            "Initial message received with below details" AS Income,
                            "Letter published correctley to ATM subject" AS  ATM, 
                            "Letter published correctley to DMM subject" AS DMM, 
                            "Letter rejected due to: DOUBLE_KEY" AS Reject, 
                            "Letter rejected due to: UNVALID_LOG" AS Rej_log, 
                            "Letter rejected due to: UNVALID_DATA_APP" AS Rej_app 
                        | table 
                            Income Rej_app ATM DMM Reject Rej_log Rej_app
                    </query>
                    <earliest>timepicker.earliest</earliest>
                    <latest>timepicker.latest</latest>
                    <sampleRatio>1</sampleRatio>
                </search>
                <option name="count">20</option>
                <option name="dataOverlayMode">none</option>
                <option name="drilldown">none</option>
                <option name="percentageRow">false</option>
                <option name="refresh.display">progressbar</option>
                <option name="rowNumbers">false</option>
                <option name="totalsRow">false</option>
                <option name="wrap">true</option>
            </table>
        </panel>
    </row>
<form>

Ciao.

Giuseppe

Harish2

@gcusello , Sorry if i have confused you.

If we have 2 hosts for each env like shown below apart from lookup file do we have other solutions to create drop down env wise.

dev

2 hosts

sit

2 hosts

sys

2 hosts

uat

2 hosts

gcusello

Hi @Harish2 ,

the most efficient solution is using a lookup, if you aren0t enabled to do this, you have to insert in the input all the conditions, somethin ike this:

<form version="1.1" theme="light">
    <label>Dashboard</label>
    <fieldset submitButton="false">
        <input type="time" token="timepicker">
            <label>TimeRange</label>
            <default>
                <earliest>-15m@m</earliest>
                <latest>now</latest>
            </default>
        </input>
        <input type="dropdown" token="env">
            <label>Environment</label>
            <choice value="*">All</choice>
            <prefix>env="</prefix>
            <suffix>"</suffix>
            <default>*</default>
            <fieldForLabel>env</fieldForLabel>
            <fieldForValue>env</fieldForValue>
          <search>
              <query>
                  | makeresults | eval env="DEV" | fields env
                  | append [ | makeresults | eval env="SIT" | fields env ]
                  | append [ | makeresults | eval env="UAT" | fields env ]
                  | append [ | makeresults | eval env="SYS" | fields env ]
                  | sort env
                  | table env
              </query>
          </search>
    </input>
    <input type="dropdown" token="server">
        <label>Server</label>
        <choice value="*">All</choice>
        <prefix>server="</prefix>
        <suffix>"</suffix>
        <default>*</default>
        <fieldForLabel>server</fieldForLabel>
        <fieldForValue>server</fieldForValue>
        <search>
            <query>
                | makeresults | eval env="DEV", server="amptams.dev.com" | fields env server
                | append [ | makeresults | eval env="DEV", server="ampvitss.dev.com" | fields env server ]
                | append [ | makeresults | eval env="DEV", server="ampdoctrc.dev.com" | fields env server ]
                | append [ | makeresults | eval env="SIT", server="ampastdmsg.dev.com" | fields env server ]
                | append [ | makeresults | eval env="SIT", server="ampmorce.dev.com" | fields env server ]
                | append [ | makeresults | eval env="SIT", server="ampsmls.dev.com" | fields env server ]
                | append [ | makeresults | eval env="UAT", server="ampserv.dev.com" | fields env server ]
                | append [ | makeresults | eval env="UAT", server="ampasoomsg.dev.com" | fields env server ]
                | append [ | makeresults | eval env="SYS", server="ampmsdser.dev.com" | fields env server ]
                | append [ | makeresults | eval env="SYS", server="ampastcol.dev.com" | fields env server ]
                | search $env$
                | dedup server
                | sort server
                | table server
            </query>
        </search>
    </input>
</fieldset>
    <row>
        <panel>
            <table>
                <title>Incoming Count &amp; Total Count</title>
                <search>
                    <query>
                        index=app-index 
                        source=application.logs 
                        $env$ 
                        $server$ 
                        (
                            "Initial message received with below details" OR
                            "Letter published correctley to ATM subject" OR 
                            "Letter published correctley to DMM subject" OR 
                            "Letter rejected due to: DOUBLE_KEY" OR 
                            "Letter rejected due to: UNVALID_LOG" OR 
                            "Letter rejected due to: UNVALID_DATA_APP"
                         )
                        | rex field= _raw "application :\s(?<Application>\w+)"
                        | rex field= _raw "(?<Msgs>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)"
                        | chart count over Application by Msgs
                        | rename 
                            "Initial message received with below details" AS Income,
                            "Letter published correctley to ATM subject" AS  ATM, 
                            "Letter published correctley to DMM subject" AS DMM, 
                            "Letter rejected due to: DOUBLE_KEY" AS Reject, 
                            "Letter rejected due to: UNVALID_LOG" AS Rej_log, 
                            "Letter rejected due to: UNVALID_DATA_APP" AS Rej_app 
                        | table 
                            Income Rej_app ATM DMM Reject Rej_log Rej_app
                    </query>
                    <earliest>timepicker.earliest</earliest>
                    <latest>timepicker.latest</latest>
                    <sampleRatio>1</sampleRatio>
                </search>
                <option name="count">20</option>
                <option name="dataOverlayMode">none</option>
                <option name="drilldown">none</option>
                <option name="percentageRow">false</option>
                <option name="refresh.display">progressbar</option>
                <option name="rowNumbers">false</option>
                <option name="totalsRow">false</option>
                <option name="wrap">true</option>
            </table>
        </panel>
    </row>
<form>

Ciao.

Giuseppe

Harish2

@gcusello , thank you so much, it’s working as expected.

thank you once again

Dashboard Drop Down Group of Servers Environment Wise

Classic dashboard

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...