Solved: How can multiselect input accommodate logs with di...

MonkeyK · ‎02-02-2017

My dashboard is based on a datamodel but it has drilldowns to the actual logs

If I have a multiselect for actions (A, B, C), I can set the valuePrefix with a delimiter of "OR"

<input type="multiselect" token="form_action">
      <label>Action</label>
      <choice value="=A">A</choice>
      <choice value="=B">B</choice>
      <choice value="=C">C</choice>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>DataModel.action</valuePrefix>
      <delimiter> OR </delimiter>
      <default>=A,=B</default>
      <initialValue>=A,=B</initialValue>
 </input>

So that based on selections, I can define DataModel search terms to

DataModel.action=A OR DataModel.action=B

However the actual event log does not have the field DataModel.action. It only has "action". So when I do a drilldown to the log events, I would like to be able so drill down to a search that includes

action=A OR action=B

The two ideas that I have to do this are

rename the prefix to just "action" and delay my datamodel search terms until after I have selected from my datamodel:

|tstats count from datamode=DataModel by DataModel.action | eval action=DataModel.action | search $form_action$
create field alias for my log source field action called DataModel.action then searches for DataModel.action should work

IMO, the first option is bad because it does not allow further variation in log sources. So if I had visualizations that might drill down to different log sources, with different field names for "action", I could not create those drill downs
The second option is slightly better but I would also not like to start creating aliases for logs source to match data models

Is there a better way to do this?

MonkeyK · ‎02-08-2017

I have recently learned that I can create a new token using eval:

in the case of my drilldown, inside the drilldown definition, I can do:

<drilldown target="_blank">
          <set token="newAction">$form_action$</set>
          <eval token="newAction">replace($form_action$,"DataModel.action","action")</eval>
          <eval token="newAction">replace($newAction$,"DataModel.action","action")</eval>
...
</drilldown>

View solution in original post

MonkeyK · ‎02-08-2017

I have recently learned that I can create a new token using eval:

in the case of my drilldown, inside the drilldown definition, I can do:

<drilldown target="_blank">
          <set token="newAction">$form_action$</set>
          <eval token="newAction">replace($form_action$,"DataModel.action","action")</eval>
          <eval token="newAction">replace($newAction$,"DataModel.action","action")</eval>
...
</drilldown>

cmerriman · ‎02-08-2017

You beat me to it! I was sitting at home thinking about this and I thought, "oh an eval would work, I'll quick add a comment" but I hadn't noticed that you've posted so long ago!

cmerriman · ‎02-03-2017

have you tried putting the token inside the tstats?

|tstats count from datamode=DataModel  where $form_action$ by DataModel.action

https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Tstats

MonkeyK · ‎02-03-2017

Does that resolve multiple values from the multiselect? I am thinking not.

MonkeyK · ‎02-07-2017

Yeah. I tried it and that does not handle the multiple values

cmerriman · ‎02-08-2017

i just made a dashboard with tstats and used the same multiselect XML as yours above and am able to click one or both of them and the data is showing. check my edit. I had a typo.

MonkeyK · ‎02-08-2017

Yes, your edit is what I had been doing. As noted in my qestion, the multi-select works on a single source.
My problem occurs when I want to drill down or use the same input for a source that names the field differently. My question is looking for a best way to handle that.

How can multiselect input accommodate logs with different field names for the same values?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life