- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How do I use a whole new query search for when one...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I use a whole new query search for when one of the dropdown options are selected in my Splunk dashboard? (without tokens)
For the first dropdown Panel I use $Type$ as a token, and I am able to use the "All" option. However, I have a second dropdown panel in my Splunk dashboard with options as well as "All". But the result of All should be all the dropdown options in it added together since there are values. However, I cannot use the wildcard symbol because the other dropdown selections uses the stats latest function, so using the wild card "All" will only take the "latest" instead of adding all the other dropdown values. So I have a new query that I would like to use for this one dropdown option. How do I implement that new query search for only when "All" is selected? Do I have to add a change tag in the Splunk xml for that option?
This is the query I want for whenever one of the options is chosen:
host=hostname sourcetype=syslog index=os_nix PMM_Status_Report| rex "(?P{.*})" | spath input=json_data path=json_path | mvexpand json_path | stats latest(Before_Today) as "Already Patched" by server_prefix, PatchActivityTitle, BusinessUnit |eval is_match=case(match("'$Type$'", "(?i)linux"), "linux", match("'$Type$'", "(?i)windows"), "windows", match("'$Type$'", "(?i)all"), "") |eval case = lower(PatchActivityTitle) | eval prefix=case(match("'$server_prefix2$'", "(?i)prdtx"), "prdtx", match("'$server_prefix2$'","(?i)prdjc"), "prdjc", match("'$server_prefix$'", "(?i)prded"), "prded", match("'$server_prefix$'", "(?i)all"), "")| table server_prefix, PatchActivityTitle, BusinessUnit, "Already Patched", is_match, case, prefix | where LIKE(server_prefix, "%".prefix."%") and LIKE(case,"%".is_match."%")| replace "'*'" WITH "*" | xyseries PatchActivityTitle, BusinessUnit, "Already Patched" | fillnull value=0
This is the query I want to show when the "ALL" option is chosen from the dropdown:
host=hostname sourcetype=syslog index=os_nix PMM_Status_Report| rex "(?P{.*})" | spath input=json_data path=json_path | mvexpand json_path | stats latest(Before_Today) as "Already Patched" by server_prefix, PatchActivityTitle, BusinessUnit | eval is_match=case(match("'$PatchActivityType$'", "(?i)linux"), "linux", match("'$PatchActivityType$'", "(?i)windows"), "windows") | eval case = lower(PatchActivityTitle) | stats sum("Already Patched") as "Patched" by PatchActivityTitle, BusinessUnit, is_match, case
| table PatchActivityTitle, BusinessUnit, "Patched", is_match, case| where LIKE(case, "%".is_match."%")
| xyseries PatchActivityTitle, BusinessUnit, "Patched"| replace "'*'" WITH "*"| fillnull value=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Write the <change> event handler for your dropdown input and build SPL as needed based on label value selected. PS: $label$ and $value$ are the default values for input change event handler. As you can see in the first condition block label can be used directly (other option is to use value directly as well), i.e. no need to use that as token. However while setting the token I have used $value$ instead of $Type$ as we are handling the same token which we need to use.
Please try out and confirm!
| makeresults | eval message= "Happy Splunking!!!"
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
