Splunk Search

using multiselect to concatenate fields into a compound key

mschellhouse
Path Finder

We have a dashboard where the user can select multiple in a multiselect input field. Those values correspond to column in a splunk table. We want to be able to concatenate those columns, based on selection, so that we can easily chart the timeseries. We are struggling to get the dynamic list resolved in SPL to concatenate the fields.

multiselect options -
Host
Environment
Node Group
etc...

If we select all three, we want to create a new field in each row of the data that contains the 'Host':'Environment':'Node Group'. Sort of like creating a compound key for that summary row. The next user might select 'Node Group':'Environment'. Any suggestions?

0 Karma
1 Solution

mschellhouse
Path Finder

Answering my own question on this one...
A simple delimiter of +":"+ on the multiselect input did the trick.

View solution in original post

0 Karma

mschellhouse
Path Finder

Answering my own question on this one...
A simple delimiter of +":"+ on the multiselect input did the trick.

0 Karma

mschellhouse
Path Finder

Thanks for trying but neither examples work for us. here is the exact query. The idea is to use the multiselect on a dashboard to replace what is currently a static list. The example below highlights one static selection ('host'+ ":"+ 'assetGroup').

| tstats max("CPU.lpar_vp_usage") AS vp_usage max("CPU.cpu_PCT") AS pct_usage values(CPU.assetGroup) AS assetGroup values(CPU.assetAreaName) AS assetAreaName values(CPU.assetName) AS assetName values(CPU.assetColor) AS assetColor values(CPU.nodeType) AS nodeType values(CPU.nodeGroup) AS nodeGroup values(CPU.cluster) AS cluster values(CPU.awsAutoScalingGroupId) AS awsAutoScalingGroupId
from datamodel=NMON_Data_CPU
where (nodename = CPU) (CPU.type="CPU_ALL" OR CPU.type="LPAR") (host="")
by _time, host, CPU.assetGroup, CPU.assetAreaName, CPU.assetName span=1m
| search (assetGroup="prod") (assetAreaName ="
") (assetName ="USA") (assetColor = "") (nodeType="") (nodeGroup="") (cluster ="") (awsAutoScalingGroupId="*")
| eval dd1='host'+ ":"+ 'assetGroup'
| stats dedup_splitvals=t max("pct_usage") AS pct_usage by _time, host, assetGroup, assetAreaName, assetName, dd1
| eval usage=if(isnum(vp_usage), vp_usage, pct_usage)
| timechart useother=f limit=0 avg(usage) AS "CPU usage" by dd1

0 Karma

TISKAR
Builder

@mschellhouse , can you try this please:

<fieldset submitButton="false">
    <input type="multiselect" token="field1">
      <label>field1</label>
      <choice value="Host">Host</choice>
      <choice value="Environment">Environment</choice>
      <choice value="Node Group">Node Group</choice>
      <delimiter>:</delimiter>
      <valuePrefix>'</valuePrefix>
      <valueSuffix>'</valueSuffix>
    </input>
  </fieldset>
0 Karma

cmerriman
Super Champion

if you use a regex, you might be able to do something. The regex below is saying that the input itself is input=Environment OR input=....

|makeresults|eval input="$token$"|rex field=input mode=sed "s/ OR input=/':'/g"|rex field=input mode=sed "s/input=|$/'/g"

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...