Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I filter results based on the "Status" field produced by a saved search?

vtsguerrero
Contributor
‎04-06-2015 01:06 PM

Hello guys! Sup?

Well, I have a saved search which produces a status field based on an average field and a difference field, so, events from this saved search have a field called Status which can be "green", "yellow" or "red". The point is... In another separated view, I need to load this saved search and filter its results based on the input type radio - green, yellow and red.
How can I achieve that using this saved search ( report )?
Thanks in advance!

0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎04-06-2015 01:26 PM

You'll need to add the report to a dashboard. Then you'll need to add a form input. The form input will then let you define a token, which gets put into the search in the dashboard.

See this as a good example (ignore the app creation part): http://dev.splunk.com/view/webframework-htmldashboards/SP-CAAAETQ

Here is another useful page: http://docs.splunk.com/Documentation/Splunk/6.2.2/Viz/Buildandeditforms

Here is a useful cheatsheet: http://blogs.splunk.com/wp-content/uploads/2013/05/form_cheatsheet.pdf

Here is a relatively sloppy example:
1.) Go to your dashboard
2.) Add your saved search / report
3.) Edit > Edit Source, and add

<input type="radio" token="status)token">
     <label>Select a status</label>
     <choice value="green">Green</choice>
     <choice value="yellow">Yellow</choice>
     <choice value="red">red</choice>
</input>

Now, go to where your search is in the source, and replace the part of your search with your $status_token$.

<row>
    <panel>
      <!-- Use tokens from the <input> elements in the panel title -->
      <title>
        Visualization of $status_token$ Values
      </title>

      <chart>

        <!-- search for the visualization, references the input tokens-->
        <search>
          <query>
            index=my_fave_index status=$status_token$
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>

       </chart>

    </panel>
  </row>

Edit in response to comments:

You could, for example, use whats called a global search.

<!-- This defines your "global search" -->
  <search id="global_search" ref="main_search_report"></search>


  <!-- This defines your token -->
  <input type="radio" token="status_token">
    <label>Select a status</label>
    <choice value="green">Green</choice>
    <choice value="yellow">Yellow</choice>
    <choice value="red">red</choice>
  </input>


  <!-- This defines your second search -->
  <row>
    <panel>
      <table>
        <search base="global_search">
          <query>| search STATUS=$status_token$</query>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
      </table>
    </panel>
  </row>

See this link for more help: http://docs.splunk.com/Documentation/Splunk/6.2.2/Viz/Buildandeditforms#Create_a_form_with_a_global_...

Reply

vtsguerrero
Contributor
‎04-07-2015 06:53 AM

Hello @aljohnson_splunk !
But the thing is, this saved search will be used in another query for future dashboards, will it be able to filter status even after the saved search has been done, so I can use it like SQL Temp Table for example, should be like a query inside a query...

0 Karma
Reply

vtsguerrero
Contributor
‎04-07-2015 08:48 AM

For example, this is my current Report:

PROCESS LAST_VOLUME AVERAGE_VOLUME  VARIATION_VOLUME    STATUS
BD2VC001    66057315    65995566.000000 0.09356537680   Green
BD2VC002    49328988    49160912.750000 0.34188797685   Green
BD2VC003    105138577   105195031.000000    0.0536660329517 Green
BD1VC004    689874  236995.000000   191.092217135   Red

I'm going to use this report in another dashboard, wich is gonna use a Status Input Filter, should I make a report for each status and use the token for name of the report or can I filter by status after the report is done with all the possible status?

0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎04-07-2015 01:17 PM

I updated my answer to what I would do, which is use a global search, but, a lot of this is preference, or dependent on what your data looks like. Global searches have limitations that might make them the wrong choice here.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...