nested level dropdown

bollam · ‎07-10-2018

I have a query to list out all the values of directory.

index=main source="*test*" | stats count by directory

This gives me all the directories that are present in the event and values of the directories in the event as follow:

/opt/test/splunklog/testing/directory1/test1.log
/opt/test/splunklog/testing/directory1/test2.log
/opt/test/splunklog/testing/directory1/test3.log
/opt/test/splunklog/testing/directory1/test1.log
/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/test2.log
/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/test3.log
/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/test4.log
/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/test4.log
/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/test1.log
/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/test2.log
/opt/test/splunklog/testing/directory1/directory2/testing1.log
/opt/test/splunklog/testing/directory1/directory2/testing2.log
/opt/test/splunklog/testing/directory1/directory2/testing3.log
/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/directory10/test3.log
/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/directory10/test4.log
/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/directory10/test1.log
/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/test1.log
/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/test2.log
/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/test3.log
/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/test3.log
/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/test4.log
/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/test1.log
/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/test4.log
/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/test1.log
/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/test2.log
/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/test1.log
/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/test2.log
/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/test3.log

I want to use this results as the values of a dropdown in the dashboard.

I need to aggregate the results at different directory nesting level. And the nesting level should be selectable.
By default aggregation should be done at 3 level (e.g. /opt/test/splunklog/testing). I should be able to select 4th, 5th or 6th level aggregation.

Thanks in Advance

niketn · ‎04-07-2019

@bollam try the following run anywhere example. Based on your sample data, I have created directory count as 6,7,8,9 and above 9 instead of 3,4,5,6 and above 6. Based on the selection of the directory level in the dropdown, the directories that satisfy that condition are returned as string. For example for directories with default nesting i.e. 6 in the example below following are the directories returned
"/opt/test/splunklog/testing/directory1/test1.log","/opt/test/splunklog/testing/directory1/test2.log","/opt/test/splunklog/testing/directory1/test3.log"

<form>
  <label>Directory Filter</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="tokDirectoriesBasedOnLevel" searchWhenChanged="true">
      <label>Select Directory Level</label>
      <search>
        <query>| makeresults 
| eval directory="/opt/test/splunklog/testing/directory1/test1.log;/opt/test/splunklog/testing/directory1/test2.log;/opt/test/splunklog/testing/directory1/test3.log;/opt/test/splunklog/testing/directory1/test1.log;/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/test2.log;/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/test3.log;/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/test4.log;/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/test4.log;/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/test1.log;/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/test2.log;/opt/test/splunklog/testing/directory1/directory2/testing1.log;/opt/test/splunklog/testing/directory1/directory2/testing2.log;/opt/test/splunklog/testing/directory1/directory2/testing3.log;/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/directory10/test3.log;/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/directory10/test4.log;/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/directory10/test1.log;/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/test1.log;/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/test2.log;/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/test3.log;/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/test3.log;/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/test4.log;/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/test1.log;/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/test4.log;/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/test1.log;/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/test2.log;/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/test1.log;/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/test2.log;/opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/test3.log"
    | makemv directory delim=";" 
| mvexpand directory 
| fields - _time 
| stats count by directory 
| eval directoriesForCount=directory 
| makemv directoriesForCount delim="/" 
| eval countOfDirecories=mvcount(directoriesForCount) 
| eval directoryNesting=case(countOfDirecories=6,"1. default",
    countOfDirecories=7,"2. 7th Level",
    countOfDirecories=8,"3. 8th Level",
    countOfDirecories=9,"4. 9th Level",
    true(),"5. Above 9th Level"
    ) 
| stats values(directory) as directories by directoryNesting 
| eval directories="\"".mvjoin(directories,"\",\"")."\"" 
| eval directoryNesting=replace(directoryNesting,"\d\.\s(.*)","\1")</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <default>"/opt/test/splunklog/testing/directory1/test1.log","/opt/test/splunklog/testing/directory1/test2.log","/opt/test/splunklog/testing/directory1/test3.log"</default>
      <fieldForLabel>directoryNesting</fieldForLabel>
      <fieldForValue>directories</fieldForValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <div>
          index=yourIndexNameGoesHere source IN ($tokDirectoriesBasedOnLevel$)
        </div>
      </html>
    </panel>
  </row>
</form>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎07-10-2018

@bollam what do you mean by aggregate at different nesting level?

Does it mean dropdown will show directory1, directory2 etc and
1) When we select directory1 the path would be /opt/test/splunklog/testing/directory1
2) When we select directory2 the path would be /opt/test/splunklog/testing/directory1/directory2 etc?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

bollam · ‎07-25-2018

@niketnilay The dropdown should contain the values of field "directory" and which are having greater than equal to 3. The dropdown should have values of "default", "fourth level", "fifth level", "sixth level" and "above six".
The values of "default" should be values of directory which contains exactly three directories. eg. (/opt/test/splunklog/)
The values of "fourth level" should contains the values of directory which contains four directories. eg. (/opt/test/splunklog/testing/), Similarly fifth and sixth.
The values of "above six" should contain the values of directory which contains more than 6 directories.
The dropdown should exclude the values of directory which are having less than 3. e.g. (/opt/test/, /opt)
Please let me know if I missed anything or you need more information on this.

dmarling · ‎04-05-2019

I have a query that will perform that nesting calculation, but I'm failing to see how you will use it in a drop down. I have a run anywhere example that may answer your question, but I'd need some clarification on how you will use the token it generates as that dictates how the query needs to be constructed. Take a look at this as a first pass on this:

<form>
  <label>Run Anywhere nested directory drop down</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="directorytoken">
      <label>Tier Selector</label>
      <default>mvindex(directoryanalysis, 2)="splunklog"</default>
      <fieldForLabel>displayname</fieldForLabel>
      <fieldForValue>token</fieldForValue>
      <search>
        <query>| makeresults count=1 
| fields - _time
| eval data="/opt/test/splunklog/testing/directory1/test1.log
 /opt/test/splunklog/testing/directory1/test2.log
 /opt/test/splunklog/testing/directory1/test3.log
 /opt/test/splunklog/testing/directory1/test1.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/test2.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/test3.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/test4.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/test4.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/test1.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/test2.log
 /opt/test/splunklog/testing/directory1/directory2/testing1.log
 /opt/test/splunklog/testing/directory1/directory2/testing2.log
 /opt/test/splunklog/testing/directory1/directory2/testing3.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/directory10/test3.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/directory10/test4.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/directory10/test1.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/test1.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/test2.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/test3.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/test3.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/test4.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/test1.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/test4.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/test1.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/test2.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/test1.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/test2.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/test3.log" 
| makemv data tokenizer="(?&lt;data&gt;[^\n\e]+)" 
| mvexpand data 
| eval data=trim(data)
| dedup data
| eval databackup=data
| makemv data delim="/" 
| eval data=mvfilter(NOT match(data, "\.log"))
| eval Tiers=mvcount(data)
| mvexpand data
| streamstats count as Tier by databackup 
| eval calc=Tier-1
| eval token="mvindex(directoryanalysis, ".calc.")=\"".data."\""
| stats count values(token) as token by Tier
| where Tier&gt;=3 AND Tier&lt;7
| eval displayname=if(Tier&lt;6, "level ".Tier, "Greater than equal to 6")
| sort 0 + Tier
| eval token=mvjoin(token, " OR ")
| table displayname token</query>
        <earliest>-5m</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults count=1 
| fields - _time
| eval directory="/opt/test/splunklog/testing/directory1/test1.log
 /opt/test/splunklog/testing/directory1/test2.log
 /opt/test/splunklog/testing/directory1/test3.log
 /opt/test/splunklog/testing/directory1/test1.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/test2.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/test3.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/test4.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/test4.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/test1.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/test2.log
 /opt/test/splunklog/testing/directory1/directory2/testing1.log
 /opt/test/splunklog/testing/directory1/directory2/testing2.log
 /opt/test/splunklog/testing/directory1/directory2/testing3.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/directory10/test3.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/directory10/test4.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/directory9/directory10/test1.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/test1.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/test2.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/test3.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/test3.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/test4.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/test1.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/test4.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/test1.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/test2.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/test1.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/test2.log
 /opt/test/splunklog/testing/directory1/directory2/directory3/directory4/directory5/directory6/directory7/directory8/test3.log" 
| makemv directory tokenizer="(?&lt;directory&gt;[^\n\e]+)" 
| mvexpand directory
| eval directory=trim(directory)
| eval directoryanalysis=directory
| makemv directoryanalysis delim="/" 
| eval directoryanalysis=mvfilter(NOT match(directoryanalysis, "\.log"))
| eval Tiers=mvcount(directoryanalysis)
| where $directorytoken$
| fields - directoryanalysis - Tiers</query>
          <earliest>-5m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

If this comment/answer was helpful, please up vote it. Thank you.

nested level dropdown

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life