Splunk Dev

I have two macro's depends on text input type hostname it should select the macro dynamically. Using below code

Kumar23
Loves-to-Learn

My Scenario:-

Macro1=US_Base_Search
Macro2= AD_Base_Search
If host=AB* then need to get the data from macro US_Base_Search,( host=C* OR host != AB*) then need to get the data from different macro AD_Base_Search.

UAT

$Prefixhost$_Basesearch($HostName$) | fields *
$TimeSpan.earliest$
$TimeSpan.latest$

<query>`$Prefixhost$_Process($HostName$)` instance=$instance$ | fields *</query>
<earliest>$TimeSpan.earliest$</earliest>
<latest>$TimeSpan.latest$</latest>

<row> 

       <input type="radio" searchWhenChanged="true" token="Enter SID/HostName">

HostName

SID


$SID$
$HostName$


$HostName$
$SID$







UA


Clone_GSO


Clone_GSO


Clone_GSO


Clone_GSO


Clone_GSO










-4h@m
now




Select Timechart Span:
Select a Span from dropdown to set chart resolution.



Search by Hostname:
Click on a row of "SID to Host Lookup" for Perfmon statistics





1 Minute
5 Minutes
10 Minutes
15 Minutes
30 Minutes
60 Minutes
5m
5m



Enable



SID to Host Lookup


source=User_activity_stats index=wks_summary sourcetype="user_activity_stats" SID=$SID$ | convert auto(Last_Reported) auto(First_Reported) | table orig_host SID First_Reported Last_Reported _time | dedup SID orig_host sortby -Last_Reported | sort -Last_Reported | convert ctime(First_Reported) ctime(Last_Reported)| rename orig_host as HostName
-30d@d
@d

true
true
none

$row.HostName$



US


AD


AD


AD


AD


AD




row
20






CPU Utilization

OverAll

| timechart span=$chartSpan$ avg("%_Processor_Time") as %_Processor_Time, avg("%_User_Time") as %_User_Time, avg("%_Privileged_Time") as %_Privileged_Time avg("%_Interrupt_Time") as %_Interrupt_Time


Context Switches/Sec

| timechart span=$chartSpan$ Avg(Context_Switches/sec) As "Context Switches/sec"




Tags (1)
0 Karma
1 Solution

gvmorley
Contributor

Hi,

I'm not sure if I can give you the answer that you're looking for, but I might be able to point you in the direction of some places to look.

I think when posting your question, you didn't quite get all the formatting as code so it's a bit broken. No worries, we'll try to figure it out.

Some things to note:

  1. You can't use <fieldset></fieldset> tags within the <drilldown></drilldown> Event Handler.
    Check this out in the docs: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#drilldown

  2. The <condition></condition> element works slightly differently in <drilldown></drilldown>. You can't use it with a match command.
    Have a look here: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#Condition_.28drilldown....

One strategy you could try would be to create an <input type="dropdown"></input> and populate it with a search that lists all of your HostNames

Then you could use <change></change> and <condition></condition> elements to create your Prefixhost token.

Alternatively, if you want to use the <table></table> and <drilldown></drilldown> approach, you could eval the correct Macro Name into the search.

Then when your users click on a row, you can take that Macro Name token and use it to create later searches.

Like this:

alt text

I know that this may not be exactly what you're looking for, but it might spark some ideas.

Finally, if you haven't come across it yet in your Splunk journey, check out the excellent 'Dashboard Examples App' on Splunkbase. Install it on a test system, and use it as a reference for what's possible. You can find it here: https://splunkbase.splunk.com/app/1603/

Best of luck.

Here's the code for that example, which you could paste into a new Dashboard just to see what I mean
(You can ignore the search, that was just to create some data to work with):

<dashboard>
  <label>Test - Table Drilldown</label>
  <row>
    <panel>
      <title>My Data</title>
      <table>
        <search>
          <query>
            <![CDATA[| makeresults 
            | fields - _time 
            | eval HostName=mvappend("CH1234", "/1234", "ATC1234", "L1234", "1CP", "W1234") 
            | mvexpand HostName 
            | eval Time=strftime(time(),"%H:%M:%S %d/%m/%Y"), OtherTime=strftime(time()+121,"%H:%M:%S %d/%m/%Y")
            | eval Environment=case(match(HostName,"^CH.*"),"US_Macro",match(HostName,"^/\d.*|^ATC.*|^L.*|^\dCP.*|^W.*"),"AD_Macro")
            | table HostName Time OtherTime Environment
            ]]>
          </query>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="my.click.name">$click.name$</set>
          <set token="my.click.value">$click.value$</set>
          <set token="my.click.name2">$click.name2$</set>
          <set token="my.click.value2">$click.value2$</set>
          <set token="my.row.hostname">$row.HostName$</set>
          <set token="my.row.time">$row.Time$</set>
          <set token="my.row.othertime">$row.OtherTime$</set>
          <set token="my.row.environment">$row.Environment$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <div>click.name = $my.click.name$</div>
        <div>click.value = $my.click.value$</div>
        <div>click.name2 = $my.click.name2$</div>
        <div>click.value2 = $my.click.value2$</div>
        <div>row.HostName = $my.row.hostname$</div>
        <div>row.Time = $my.row.time$</div>
        <div>row.OtherTime = $my.row.othertime$</div>
        <h3>row.Environment = $my.row.environment$</h3>
        <h3>Run this search: $my.row.environment$_Process($my.row.hostname$)</h3>
      </html>
    </panel>
  </row>
</dashboard>

View solution in original post

0 Karma

gvmorley
Contributor

Hi,

I'm not sure if I can give you the answer that you're looking for, but I might be able to point you in the direction of some places to look.

I think when posting your question, you didn't quite get all the formatting as code so it's a bit broken. No worries, we'll try to figure it out.

Some things to note:

  1. You can't use <fieldset></fieldset> tags within the <drilldown></drilldown> Event Handler.
    Check this out in the docs: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#drilldown

  2. The <condition></condition> element works slightly differently in <drilldown></drilldown>. You can't use it with a match command.
    Have a look here: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#Condition_.28drilldown....

One strategy you could try would be to create an <input type="dropdown"></input> and populate it with a search that lists all of your HostNames

Then you could use <change></change> and <condition></condition> elements to create your Prefixhost token.

Alternatively, if you want to use the <table></table> and <drilldown></drilldown> approach, you could eval the correct Macro Name into the search.

Then when your users click on a row, you can take that Macro Name token and use it to create later searches.

Like this:

alt text

I know that this may not be exactly what you're looking for, but it might spark some ideas.

Finally, if you haven't come across it yet in your Splunk journey, check out the excellent 'Dashboard Examples App' on Splunkbase. Install it on a test system, and use it as a reference for what's possible. You can find it here: https://splunkbase.splunk.com/app/1603/

Best of luck.

Here's the code for that example, which you could paste into a new Dashboard just to see what I mean
(You can ignore the search, that was just to create some data to work with):

<dashboard>
  <label>Test - Table Drilldown</label>
  <row>
    <panel>
      <title>My Data</title>
      <table>
        <search>
          <query>
            <![CDATA[| makeresults 
            | fields - _time 
            | eval HostName=mvappend("CH1234", "/1234", "ATC1234", "L1234", "1CP", "W1234") 
            | mvexpand HostName 
            | eval Time=strftime(time(),"%H:%M:%S %d/%m/%Y"), OtherTime=strftime(time()+121,"%H:%M:%S %d/%m/%Y")
            | eval Environment=case(match(HostName,"^CH.*"),"US_Macro",match(HostName,"^/\d.*|^ATC.*|^L.*|^\dCP.*|^W.*"),"AD_Macro")
            | table HostName Time OtherTime Environment
            ]]>
          </query>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="my.click.name">$click.name$</set>
          <set token="my.click.value">$click.value$</set>
          <set token="my.click.name2">$click.name2$</set>
          <set token="my.click.value2">$click.value2$</set>
          <set token="my.row.hostname">$row.HostName$</set>
          <set token="my.row.time">$row.Time$</set>
          <set token="my.row.othertime">$row.OtherTime$</set>
          <set token="my.row.environment">$row.Environment$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <div>click.name = $my.click.name$</div>
        <div>click.value = $my.click.value$</div>
        <div>click.name2 = $my.click.name2$</div>
        <div>click.value2 = $my.click.value2$</div>
        <div>row.HostName = $my.row.hostname$</div>
        <div>row.Time = $my.row.time$</div>
        <div>row.OtherTime = $my.row.othertime$</div>
        <h3>row.Environment = $my.row.environment$</h3>
        <h3>Run this search: $my.row.environment$_Process($my.row.hostname$)</h3>
      </html>
    </panel>
  </row>
</dashboard>
0 Karma

Kumar23
Loves-to-Learn

UAT

$Prefixhost$_Basesearch($HostName$) | fields *
$TimeSpan.earliest$
$TimeSpan.latest$

<query>`$Prefixhost$_Process($HostName$)` instance=$instance$ | fields *</query>
<earliest>$TimeSpan.earliest$</earliest>
<latest>$TimeSpan.latest$</latest>




       <input type="radio" searchWhenChanged="true" token="Enter SID/HostName">

HostName

SID


$SID$
$HostName$


$HostName$
$SID$







UA


Clone_GSO


Clone_GSO


Clone_GSO


Clone_GSO


Clone_GSO










-4h@m
now




Select Timechart Span:
Select a Span from dropdown to set chart resolution.



Search by Hostname:
Click on a row of "SID to Host Lookup" for Perfmon statistics





1 Minute
5 Minutes
10 Minutes
15 Minutes
30 Minutes
60 Minutes
5m
5m



Enable

</panel>
<panel >
  <title>SID to Host Lookup</title>
  <table depends="$SID$">
    <search >
      <query>source=User_activity_stats index=wks_summary sourcetype="user_activity_stats" SID=$SID$ | convert auto(Last_Reported) auto(First_Reported) | table  orig_host  SID  First_Reported Last_Reported _time | dedup SID orig_host sortby -Last_Reported | sort -Last_Reported | convert  ctime(First_Reported) ctime(Last_Reported)| rename orig_host as HostName</query>

      <earliest>-30d@d</earliest>
      <latest>@d</latest>

    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">true</option>
    <option name="dataOverlayMode">none</option>
    <drilldown>
     <set token="HostName" >$row.HostName$</set>
     <fieldset autoRun="true" submitButton="false">
    <change>
      <condition match="match('row.value',&quot;^CH.*&quot;)">
        <set token="Prefixhost">UA</set>
      </condition>
      <condition match="match('row.value',&quot;^V\d{1,2}\d\d.*&quot;)">
        <set token="Prefixhost">Clone_GSO</set>
      </condition>
      <condition match="match('row.value',&quot;L.*&quot;)">
       <set token="Prefixhost">Clone_GSO</set>
      </condition>
      <condition match="match('row.value',&quot;ATC.*&quot;)">
       <set token="Prefixhost">Clone_GSO</set>
      </condition>
      <condition match="match('row.value',&quot;\dCP.*&quot;)">
        <set token="Prefixhost">Clone_GSO</set>
      </condition>
       <condition match="match('row.value',&quot;W.*&quot;)">
         <set token="Prefixhost">Clone_GSO</set>
      </condition>    
        </change>
         </fieldset>
     <option name="drilldown">row</option>
    <option name="count">20</option>
    </drilldown>
    </table>
          </panel>
      </row>
         <row depends="$HostName$">
<panel>
  <title>CPU Utilization</title>

  <chart id="link1">
    <title>OverAll</title>
    <search base="Overview_Data" >
      <query> | timechart span=$chartSpan$ avg("%_Processor_Time") as %_Processor_Time, avg("%_User_Time") as %_User_Time, avg("%_Privileged_Time") as %_Privileged_Time avg("%_Interrupt_Time") as %_Interrupt_Time</query>
    </search>

  <chart id="link35">
    <title>Context Switches/Sec</title>
    <search base="Overview_Data" >
      <query> | timechart span=$chartSpan$ Avg(Context_Switches/sec) As "Context Switches/sec"</query>
    </search>

  </chart>
  </panel>
  </row>
  </form>
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...