Need Help with Search Command and Dashboard

luvukrishna · ‎03-23-2017

I am trying to create a dashboard that would return count on search, Currently I am getting "service" as input from user through drop-down and I am running search .
Example: when user selects "A" below search is run and result is displayed in panel as count
service="A" | stats count
similarly for other drop downs
service="B" | stats count
service="C" | stats count

I am new to Splunk , Is there a way I can run add all option in drop-down and get result for all fiends in drop-down in tabular format in panel

Required result: On selecting all option
Service | Count
A 10
B 20
C 30

jpass · ‎03-23-2017

Something else to consider is using postprocess search. This way your base search doesn't have to run every time someone chooses an option in the dropdown.

See: http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Post-process_searches

Here's the basic idea:

dashboard loads and runs a base search that generates the full list of stats:

| STATS count BY Service
your input dropdown could access the values of 'Service' to dynamically populate your input options
you'll need to still add a static value to cover the * (all) option
your post process search, which dictates the values displayed on your dashboard, is simply:

| SEARCH Service = $dropdown_value$

jpass · ‎03-23-2017

do your search as:

| STATS count BY Service | SEARCH Service = $dropdown_value$

So your drop down has an option for "ALL" who's value is: *

When the user selects A:

| STATS count BY Service | SEARCH Service = "A"

When user selects ALL:
| STATS count BY serivce | SEARCH service = *

Need Help with Search Command and Dashboard

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life