Solved: how to automate requests for it to be adapted auto...

pierra56 · ‎07-28-2014

For exemple
this request:
sourcetype="the_log_file" | stats sum(sent) as send sum(rcvd) as receive by src | sort - send,receive | head 5

I want to use another file but without rewriting any.

somesoni2 · ‎07-28-2014

Updated
Try this

your search to retrieve list of sourcetype | map maxsearches=100 search="your search string with using $sourcetype" as replacement for values.

e.g.

index=* | stats count by sourcetype | table sourcetype | map maxsearches=100 search="index=* sourcetype=\"$sourcetype$\"  | stats sum(sent) as send sum(rcvd) as receive by src | sort - send,receive | head 5"

Old
You can create a dashboard with a dropdown or textbox to give input sourcetype, and then show the result in one panel. something like this

<form>
  <label>Dynamic Source</label>
  <fieldset autoRun="true">
    <input type="dropdown" token="sourcetype" searchWhenChanged="false">
      <label>Sourcetype</label>
      <choice value="*">All</choice>
      <default>*</default>
      <populatingSearch fieldForValue="sourcetype" fieldForLabel="sourcetype">
        <![CDATA[index=* earliest=-1h@h | stats count by sourcetype | table sourcetype ]]>
      </populatingSearch>
    </input>
  </fieldset>
  <row>
    <table>
      <title>Top 5 source</title>
      <searchString>index=* sourcetype="$sourcetype$"  | stats sum(sent) as send sum(rcvd) as receive by src | sort - send,receive | head 5</searchString>
      <earliestTime>-1h</earliestTime>
      <latestTime>now</latestTime>
      <option name="wrap">true</option>
      <option name="rowNumbers">false</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">cell</option>
      <option name="count">10</option>
    </table>
  </row>
</form>

View solution in original post

somesoni2 · ‎07-28-2014

Updated
Try this

your search to retrieve list of sourcetype | map maxsearches=100 search="your search string with using $sourcetype" as replacement for values.

e.g.

index=* | stats count by sourcetype | table sourcetype | map maxsearches=100 search="index=* sourcetype=\"$sourcetype$\"  | stats sum(sent) as send sum(rcvd) as receive by src | sort - send,receive | head 5"

Old
You can create a dashboard with a dropdown or textbox to give input sourcetype, and then show the result in one panel. something like this

<form>
  <label>Dynamic Source</label>
  <fieldset autoRun="true">
    <input type="dropdown" token="sourcetype" searchWhenChanged="false">
      <label>Sourcetype</label>
      <choice value="*">All</choice>
      <default>*</default>
      <populatingSearch fieldForValue="sourcetype" fieldForLabel="sourcetype">
        <![CDATA[index=* earliest=-1h@h | stats count by sourcetype | table sourcetype ]]>
      </populatingSearch>
    </input>
  </fieldset>
  <row>
    <table>
      <title>Top 5 source</title>
      <searchString>index=* sourcetype="$sourcetype$"  | stats sum(sent) as send sum(rcvd) as receive by src | sort - send,receive | head 5</searchString>
      <earliestTime>-1h</earliestTime>
      <latestTime>now</latestTime>
      <option name="wrap">true</option>
      <option name="rowNumbers">false</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">cell</option>
      <option name="count">10</option>
    </table>
  </row>
</form>

pierra56 · ‎08-05-2014

Thanks you !! It's work!!

somesoni2 · ‎08-05-2014

Try this as populatingSearch

|metadata type=sourcetypes index=* | stats count by sourcetype

pierra56 · ‎08-05-2014

HELP!!
I have no choice in my dropdown list. my sourcetype are not there.

pierra56 · ‎07-30-2014

Again thank you for your help.
But my dropdown list is empty. There is just all and not my log files.

it comes from the token?

somesoni2 · ‎07-30-2014

I may have misunderstood the requirement here. Correct me if I am wrong, what you need is a single query which will generate results (using the query mentioned in the question itself) for each sourcetype without typing the whole query multiple times for each sourcetype. If yes then try the updated answer.

pierra56 · ‎07-30-2014

hum...

Sourcetype
All

<![CDATA[index= earliest=-1h@h | stats count by sourcetype | table sourcetype ]]>

I don't understand. how sourcetypes are incremented here. Because I do not see anything changing.

somesoni2 · ‎07-29-2014

This is just a sample layout of a dashboard. Please update the queries as per your environment. (in put query which will get you list of sources [or replace it by a textbox if you want to provide data manually], and in put the actual query with sourcetype being parameterized)

pierra56 · ‎07-29-2014

Thx for your response.

But your script doesn't work. The result is "This dashboard has no panels." it is because he does not find the "sourcetype" ?

how to automate requests for it to be adapted automatically to different log file?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM