Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Taking a numerical text input for dashboard to narrow down results

AshimaE
Explorer
‎06-14-2017 10:13 PM

Hello.
I have achieved result table using sort on a parameter. Here I am directly giving the top 20 highest results.

index=a sourcetype=b host=* earliest=-6h | sort 0 host time| streamstats current=f window=1 values(du) as prevdu by host |where isnotnull(prevdu) |eval useddiff = du - prevdu | eval velo = useddiff/15 | stats avg(velo) by host| table host avg(velo) | rename avg(velo) as velocity | sort -velocity | head 20

Now the task that I want to achieve is that for an text input field I want to read the input as a number and set this as a threshold and only display the top 20 results crossing the threshold only.
I had tried 

index=a sourcetype=b host=* earliest=-6h | sort 0 host time | streamstats current=f window=1 values(du) as prevdu by host |where isnotnull(prevdu) |eval useddiff = du - prevdu | eval velo = useddiff/15 | stats avg(velo) by host| table host avg(velo) | rename avg(velo) as velocity | convert num($myinput$) as vthold | where velocity >= vthold |sort -velocity | head 20

But this is not narrowing down the results. I suspet that is because Splunk is reading it as a text. Any suggestions how I could achieve the same.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎06-14-2017 11:50 PM

@AshimaE, like @yuanliu mentioned, you should be able to use numeric comparison directly from numeric value passed on from the text box. There is not need for convert the same.

Following is a run anywhere search which performs digit validation on textbox (you can write more specific JavaScript Regular Expression as per your needs). The token tokVelThold to be used in search gets set only when all characters entered in Text Box are digits, otherwise the Search Panel remains hidden since the token is not set.

  <fieldset submitButton="false">
    <input type="text" token="selVelThold">
      <label>Add threshold</label>
      <change>
          <eval token="tokVelThold">case(match(value, &quot;^[0-9]+$&quot;), $value$)</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>tokVelThold: $tokVelThold$</title>
      <table depends="$tokVelThold$">
        <search>
          <query>| makeresults
| eval velocity=1000
| eval vthold=$tokVelThold$
| where velocity &gt;= vthold 
| sort -velocity
| head 20</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>

Alternatively you can also pass all values from the Text Box to the token and default the the value to 0 in case it is not number through 

| eval velThold=$selVelThold$ 
| eval velThold=case(isnum(velThold),velThold,true(),0)
| where velocity &gt;= vthold 
| sort -velocity
| head 20
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎06-14-2017 11:50 PM

@AshimaE, like @yuanliu mentioned, you should be able to use numeric comparison directly from numeric value passed on from the text box. There is not need for convert the same.

Following is a run anywhere search which performs digit validation on textbox (you can write more specific JavaScript Regular Expression as per your needs). The token tokVelThold to be used in search gets set only when all characters entered in Text Box are digits, otherwise the Search Panel remains hidden since the token is not set.

  <fieldset submitButton="false">
    <input type="text" token="selVelThold">
      <label>Add threshold</label>
      <change>
          <eval token="tokVelThold">case(match(value, &quot;^[0-9]+$&quot;), $value$)</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>tokVelThold: $tokVelThold$</title>
      <table depends="$tokVelThold$">
        <search>
          <query>| makeresults
| eval velocity=1000
| eval vthold=$tokVelThold$
| where velocity &gt;= vthold 
| sort -velocity
| head 20</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>

Alternatively you can also pass all values from the Text Box to the token and default the the value to 0 in case it is not number through 

| eval velThold=$selVelThold$ 
| eval velThold=case(isnum(velThold),velThold,true(),0)
| where velocity &gt;= vthold 
| sort -velocity
| head 20
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

AshimaE
Explorer
‎06-15-2017 03:31 AM

The alternative worked well for the case. Thanks a lot.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎06-15-2017 05:36 AM

Hi @AshimaE, I have converted my comment to Answer, please Accept if it helped. In the Regular Expression you can handle decimal as well (if you want to perform floating number validation).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎06-14-2017 10:45 PM

If values in $myinput$ can be interpreted as numbers, it will be used as a number. Have you tried'| where velocity >=$myinput$ instead? There should be no convert needed.

0 Karma
Reply
Solved! Jump to solution

AshimaE
Explorer
‎06-14-2017 11:31 PM

Yes I did try that. No narrowing down was there.. Also I need to consider decimal point numbers as my input as well.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...