Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex Help: How to search all events with the selected values from two drop-downs on my dashboard?

alan20854
Path Finder
‎06-22-2016 12:44 PM

Hi,

I am creating a dashboard with 2 drop-downs, one for Services and the other for Methods, and I want the search to look for all events with the selected Service and Method.

However, the values in the drop-downs do not perfectly match what I am looking for. For example, one of the services in the drop-down may show - Enrollment Web Service (NRLMT_WS) and the method may be - Get Enrollments (GET_NRLMT) , but in my search , I want to look for all events where Service = NRLMT_WS AND Method = GET_NRLMT.

Considering that all the options in the drop-downs are in this format: their description and then its key phrase in parentheses, what is the search for this?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-22-2016 01:20 PM

The description of your dropdown can be different from the string value of that goes into the associated token. So have the description be Enrollment Web Service (NRLMT_WS), the token value be NRLMT_WS. Then have your search be like this:

... Service="$Service_Token$" Method="$Method_Token$"

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-22-2016 01:20 PM

The description of your dropdown can be different from the string value of that goes into the associated token. So have the description be Enrollment Web Service (NRLMT_WS), the token value be NRLMT_WS. Then have your search be like this:

... Service="$Service_Token$" Method="$Method_Token$"
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-22-2016 01:19 PM

Try this for your service and method dropdown (rest all same)

 <input type="dropdown" token="service1" searchWhenChanged="true">
   <label>Service</label>
   <search>
     <query>| inputlookup Lookup.csv | search source="$source1$" | stats count by service | table service | rex field=service "\((?<service_value>[^\)]+)\)" </query>
   </search>
   <fieldForLabel>service</fieldForLabel>
   <fieldForValue>service_value</fieldForValue>
 </input>
 <input type="dropdown" token="method1" searchWhenChanged="true">
   <label>Method/Operation</label>
   <search>
     <query>| inputlookup Lookup.csv | search (source = "$source1$" AND service = "*($service1$)")| stats count by method | table method | rex field=method "\((?<method_value>[^\)]+)\)" </query>
     <earliest>0</earliest>
   </search>
   <fieldForLabel>method</fieldForLabel>
   <fieldForValue>method_value</fieldForValue>
 </input>
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-22-2016 12:55 PM

Do you've static values in the dropdowns OR it's being populated using a query? In both cases you can have "value" portion to use the value inside parenthesis.

Other option would be to update your panel search to do the regex/transformation of the selected value. Could you post your dashboard xml, with searches being used?

0 Karma
Reply
Solved! Jump to solution

alan20854
Path Finder
‎06-22-2016 01:04 PM

Hi somesoni2,

Here is my current dashboard XML:

External Interfaces

<input type="dropdown" token="source1" searchWhenChanged="true">
  <label>Source</label>
  <search>
    <query>| inputlookup Lookup.csv | stats count by source | table source</query>
  </search>
  <fieldForLabel>source</fieldForLabel>
  <fieldForValue>source</fieldForValue>
</input>
<input type="dropdown" token="service1" searchWhenChanged="true">
  <label>Service</label>
  <search>
    <query>| inputlookup Lookup.csv | search source="$source1$" | stats count by service | table service</query>
  </search>
  <fieldForLabel>service</fieldForLabel>
  <fieldForValue>service</fieldForValue>
</input>
<input type="dropdown" token="method1" searchWhenChanged="true">
  <label>Method/Operation</label>
  <search>
    <query>| inputlookup Lookup.csv | search (source = "$source1$" AND service = "$service1$")| stats count by method | table method</query>
    <earliest>0</earliest>
  </search>
  <fieldForLabel>method</fieldForLabel>
  <fieldForValue>method</fieldForValue>
</input>
<input type="time" token="time" searchWhenChanged="true">
  <label>Last Transaction Time</label>
  <default>
    <earliest>@d</earliest>
    <latest>now</latest>
  </default>
</input>


<panel>
  <event>
    <title>Most Recent Event</title>
    <search>
      <query>Service = $service1$ Method = $method1$|sort -_time | head 1</query>
      <earliest>$time.earliest$</earliest>
      <latest>$time.latest$</latest>
    </search>
    <option name="count">10</option>
    <option name="list.drilldown">full</option>
    <option name="list.wrap">1</option>
    <option name="maxLines">5</option>
    <option name="raw.drilldown">full</option>
    <option name="rowNumbers">0</option>
    <option name="table.drilldown">all</option>
    <option name="table.wrap">1</option>
    <option name="type">list</option>
    <fields>["host","source","sourcetype"]</fields>
  </event>
</panel>
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...