All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search with 2 variables inside search

dirkbaumann
Explorer
‎05-16-2013 05:30 AM

Hi, could somebody please tell me how i can put 2 Variables inside one Query
I have Written the following



pages

page6
(page="page6")

+OR+
$value$
( $value$ )

Last 15 minutes


<![CDATA[index=page_Index source=page_test $pages$ | chart sum(count) As Result by Success]]>


zero
zero
pie


<![CDATA[
index=page_Index source=page_test $pages$| eval var=if($click1.searchTerms$, count, 0)
| stats sum(var) AS Suc, sum(count) As totalSuc by browser |
eval percentage=round( Suc*100/ totalSuc,2) |
fields - Variable , totalSuc | chart max(percentage) AS % by browser
]]>


column


<![CDATA[
index=page_Index source=page_test $pages$ $click2.searchTerms$|
eval var=if($click1.searchTerms$, count, 0) |
stats sum(var) AS Suc, sum(count) As totalSuc by browserMajorVersion|
eval percentage=round( Suc*100/ totalSuc,2) |
fields - launchSuc , totalSuc | chart max(percentage) AS % by browserMajorVersion
]]>












Could somebody please tell me how to pick 2 variables into one search at a specific place i tried to put it with click1.searchTerms and click2.searchTerms into the system but thats not working with click.searchTerms it's working but at the last query i could not have 2 variables inside

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎06-07-2013 11:16 AM

There is no valid key in your view called $click1.searchTerms$. I think you mean $click.searchTerms$, which is an extended key added to the JSChart's output by Sideview Utils.

There is a good docs page inside Sideview Utils that gives a broad overview of all the $foo$ tokens that are available with all relevant Sideview and Splunk modules.

Also, you can use the Sideview Editor in "Runtime Debug" mode to take a look at exactly what keys are at exactly what point in exactly what view, at runtime. Which is an overwhelming bit of power, but can be very useful....

By the way you can change the "click" part of that by setting "drilldownPrefix" param on JSChart. In a Sideview module you would always set a "name" param to change that, but the Splunk modules are a little inconsistent as to how you specify the name of the $foo$ token from module to module.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎06-07-2013 11:16 AM

There is no valid key in your view called $click1.searchTerms$. I think you mean $click.searchTerms$, which is an extended key added to the JSChart's output by Sideview Utils.

There is a good docs page inside Sideview Utils that gives a broad overview of all the $foo$ tokens that are available with all relevant Sideview and Splunk modules.

Also, you can use the Sideview Editor in "Runtime Debug" mode to take a look at exactly what keys are at exactly what point in exactly what view, at runtime. Which is an overwhelming bit of power, but can be very useful....

By the way you can change the "click" part of that by setting "drilldownPrefix" param on JSChart. In a Sideview module you would always set a "name" param to change that, but the Splunk modules are a little inconsistent as to how you specify the name of the $foo$ token from module to module.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...