- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Generate a stand-alone event based on a token in a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Background:
In a dashboard, I have a token excludes which I want someone to be able to enter 1*,5* into. I then want to take that token and split it into multiple events and run it through | format then I'll be able to put that into the filter part of the main search.
This brings me to my question. How do I turn $excludes$ into
1*
5*
Update Right now I'm using Simple XML, but would consider moving to Advanced XML. Sideview Utils is already install on the system
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In Sideview XML if you had a TextField module into which textbox a user could type "1*,5*"
<module name="TextField">
<param name="name">commaSep</param>
<param name="label">enter users one on each line</param>
<module name="Button">
<module name="ValueSetter">
<param name="name">arrayValue</param>
<param name="delim">,</param>
<param name="value">$commaSep$</param>
<module name="ArrayValueSetter">
<param name="name">searchExpression</param>
<param name="array">$arrayValue$</param>
<param name="template">status="$value$"</param>
<param name="separator">+OR+</param>
<param name="outerTemplate">( $value$ )</param>
<module name="Search">
<param name="search">search terms here $searchExpression$ | timechart count by status</param>
<module name="JSChart"/>
</module>
</module>
</module>
</module>
Another way to achieve the same result but using an extra search and the format command instead of ValueSetter and ArrayValueSetter, is to do the splitting and searchterm-formatting in the search language with the format command, and then use the Sideview ResultsValueSetter module to "pull down" the field value from the search results and turn it into a token. That would look like this:
<module name="TextField">
<param name="name">commaSep</param>
<param name="label">enter status codes, comma separated</param>
<module name="Search">
<param name="search">| stats count | fields - count | eval user=split("$commaSep$",",") | format | rename search as searchExpression</param>
<module name="ResultsValueSetter">
<param name="fields">searchExpression</param>
<module name="Search">
<param name="search">search terms here $searchExpression$ | timechart count by status</param>
<module name="JSChart"/>
</module>
</module>
</module>
</module>
If you go this direction, make sure to get the latest Sideview Utils, version 3.3.2 from the Sideview website ( http://sideviewapps.com/apps/sideview-utils/ ) and you'll have to read the first couple pages of the documentation to understand how it works. After that read the docs pages for each of the modules that you use.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In Sideview XML if you had a TextField module into which textbox a user could type "1*,5*"
<module name="TextField">
<param name="name">commaSep</param>
<param name="label">enter users one on each line</param>
<module name="Button">
<module name="ValueSetter">
<param name="name">arrayValue</param>
<param name="delim">,</param>
<param name="value">$commaSep$</param>
<module name="ArrayValueSetter">
<param name="name">searchExpression</param>
<param name="array">$arrayValue$</param>
<param name="template">status="$value$"</param>
<param name="separator">+OR+</param>
<param name="outerTemplate">( $value$ )</param>
<module name="Search">
<param name="search">search terms here $searchExpression$ | timechart count by status</param>
<module name="JSChart"/>
</module>
</module>
</module>
</module>
Another way to achieve the same result but using an extra search and the format command instead of ValueSetter and ArrayValueSetter, is to do the splitting and searchterm-formatting in the search language with the format command, and then use the Sideview ResultsValueSetter module to "pull down" the field value from the search results and turn it into a token. That would look like this:
<module name="TextField">
<param name="name">commaSep</param>
<param name="label">enter status codes, comma separated</param>
<module name="Search">
<param name="search">| stats count | fields - count | eval user=split("$commaSep$",",") | format | rename search as searchExpression</param>
<module name="ResultsValueSetter">
<param name="fields">searchExpression</param>
<module name="Search">
<param name="search">search terms here $searchExpression$ | timechart count by status</param>
<module name="JSChart"/>
</module>
</module>
</module>
</module>
If you go this direction, make sure to get the latest Sideview Utils, version 3.3.2 from the Sideview website ( http://sideviewapps.com/apps/sideview-utils/ ) and you'll have to read the first couple pages of the documentation to understand how it works. After that read the docs pages for each of the modules that you use.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this dashboard using Sideview XML or simple XML or splunk JS? I can tell you a couple easy ways to do this in Sideview XML.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Currently doing it in Simple XML, but will move to sideview
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
