Splunk Search

Average of results from input search

danielsavage
New Member

So I have a search set up where I can find the cpu of a server for a given host. However, now I want to add an option in for ALL hosts where selecting this option would give me the total for all the hosts. At the moment I have filters to narrow down to 5 or so hosts where I can then pick one to choose from. Now I want an option on an input dropdown menu, where if selected would add all of these hosts together. How do I edit my search statement to do this? At the moment it is currently:

|inputlookup input.csv.gz | search name = $application$ | stats  values(hostName) AS hostname | mvexpand hostname

which gets the chosen host and the following generates the dashboard

index=index sourcetype="courscetype"  $hostname$ date_year = $yearr$ date_month = $monthh$ | dedup _raw  | eval A = substr(tostring(date_wday),1,1) | eval B = substr(date_wday,2) | eval A = upper(A) | eval dte = A + B  | eval newDate = tostring(date_mday + \" \" + dte) |  chart limit=0 max(AvgCpuPerc) over newDate by date_hour  | table newDate 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | rename newDate as "Date/Time"
Tags (1)
0 Karma

Richfez
SplunkTrust
SplunkTrust

Inside your drop down, add a Static option named "All" with a value of *. (Yes, you can mix these right in there with your dynamic options).

Save that, refresh and give it a try.

0 Karma

danielsavage
New Member

The problem is, this gives all the hosts, and what I want are all the hosts filtered down so far if that makes sense?

0 Karma

Richfez
SplunkTrust
SplunkTrust

OH! I see, you hadn't gotten quite that far yet. I think?

It sounds like you want a multi-select? We could try this and see if it's what you want...

I am assuming you have the dashboard, etc... and you need to know how to make a "select one or more of these" drop down and get your results to filter to that. This may or may not be the case, but hopefully it's close enough you can adapt it? Because it sounds like you have some work done already, but it's not actually clear what. So maybe just starting here and seeing how this works...

Edit your dashboard, put on it a Multiselect input. Label it "Hosts" or something. Name the token "host_tok". (Well, you can name these anything you want, but I"m going to use those names below so if you change it here, change it everywhere... 🙂 )

Now, given the way you are feeding your token into your search, scroll down in the Token Options section until you can see all of "Token Prefix" through "Preview". For Token Prefix, but (. For Token Suffix put ). You'll see the Preview change to show parentheses around the entire string.

You do not need a Token Value Prefix or Suffix (you would use those if your tokens were, say, hostname=$hostname$, in which case your prefix would be hostname=, right?)

For your delimiter, put in OR <-- be careful, that's a <space>OR<space>, not just a OR in there.

Now, scroll down to "Dynamic options" and for your search string, put your search

|inputlookup input.csv.gz | search name = $application$ | stats  values(hostName) AS hostname | mvexpand hostname

Put hostname as both the Field for Label and the Field for Value.

Click apply, OK, all that jazz.

Now, edit the search on the dashboard. Where you have this as the first part...

index=index sourcetype="sourcetype"  $hostname$ date_year = $year$ date_month = $month$ ...

You'll want to change the $hostname$ to $host_tok$.

Once done, the list of hosts that you've picked in the multi-select (let's say it's "hosta" and "hostb" for the sake of illustration) will be appended together and slapped in that spot in your search, give you ...

index=index sourcetype="sourcetype" (hosta OR hostb) ...

And I think that may be helpful.

Can you give that a try - maybe even just play with it on a brand new dashboard and see how that works?

0 Karma

Richfez
SplunkTrust
SplunkTrust

danielsavage,

Did this help you find your answer?

If it did, could you mark it as accepted, and if not then let us know what else you need!

Happy Splunking,
Rich

0 Karma

danielsavage
New Member

Hi, no it didn't as the * still selected all values for the field in the index. Instead I pulled all the values from the dropdown with javascript and did it that way!
I appreciate you trying to help anyway 🙂

0 Karma

Richfez
SplunkTrust
SplunkTrust

Great! Glad to hear you got something working!

That a technique I've not heard of and I'd bet there are others who'd like to know how you did this. Any chance you could create an Answer to this question with what you did?

And obviously, you could then accept your own answer!

Thanks,
Rich

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...