Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I fix my multiselect so that it works for one metric tag?

walkerhound
Path Finder
‎04-17-2018 09:59 AM

I am using a multiselect input to create a query of the metrics store. If there is one metric_name chosen, the resulting token looks like this:

(metric_name="myMetricName")

If two metric_names are chosen the resulting token looks like this:

(metric_name="myMetricName1" OR metric_name="myMetricName2")

The search looks like this:

|mstats prestats=true avg(_value) WHERE $myToken$
                        index="myMetricsIndex" span=1m  BY metric_name
                        |timechart span=1m avg(_value) by metric_name

This search works for two metric_names but not for one metric_name.

I have two questions.

First: Why is the following search illegal?

|mstats prestats=true avg(_value) WHERE (metric_name="myMetricName")
                        index="myMetricsIndex" span=1m  BY metric_name
                        |timechart span=1m avg(_value) by metric_name

Secondly: How to I fix my multiselect so that it works for one metric tag?

0 Karma
Reply

niketn
Legend
‎04-18-2018 03:37 AM

@walkerhound, can you try the following approach?

Have your multi-value input prepare values like "myMetricName1"when 1 metric is selected and "myMetricName1","myMetricName2" when two metrics are selected.

| mstats prestats=t avg(_value) WHERE index="myMetricsIndex" AND metric_name IN ( $myToken$ ) 
                          span=1m BY metrics_name
                         |timechart span=1m avg(_value) by metric_name

Also while debugging display $myToken$ in the <panel> <title> to test the token value i.e.

<title>$mytoken$</title>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

walkerhound
Path Finder
‎04-17-2018 10:01 AM

I just discovered that adding a space after the ( works with one metric_name as well as two metric_names.

I still wonder why the original syntax is illegal.

0 Karma
Reply

p_gurav
Champion
‎04-17-2018 11:04 PM

Can you avoid putting token without brackets?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...