Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Overlaying data from multiple devices, or being able to select which device to view?

neilmac64
Path Finder
‎09-05-2022 07:13 AM

Further to my previous post here, which was generously solved by ITWhisperer:

Solved: Help with search to use for dashboard - link key-v... - Splunk Community

My chart looks like this (which is what I wanted to achieve).

neilmac64_0-1662385602169.png

 

My challenge now is to have charts which:

  • have the mac_address as a variable rather than fixed so that it's more flexible
    • can we read this from the index rather than have to type it?
    • I have a dashboard that uses the a hostname in this way (syntax below)
  • show the line from multiple devices - stats from (mac_address_1 AND mac_address_2 AND ... (up to mac_address_x)on the same chart
  • option to drop down menu to choose to display either mac_address_1 OR mac_address_2 OR ... (up to mac_address_x)

Again, any help much appreciated.

NM

Current Search:

| where key="counter_01" AND mac_address="xx:yy:zz:aa:bb:01"
| timechart values(value) by key

 

Sample search which allows me to view via a variable (hostname). Note - this is an unrelated project - I'm just using for illustration:

host=$host_name$ source="xxx"| timechart avg(value 1) as "Avg Value 1" avg(value_2) as "Avg Value 2" by host

One issue I see is that I already have a "by" defined  in this project, which is "by key".

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2022 07:36 AM

You can chart multiple mac_addresses for the same counter like this:

| where key="counter_01"
| timechart values(value) by mac_address

 You could also populate a multi-select dropdown with values from an index search

index=your index
| dedup mac_address
| fields mac_address

For this, you would set <fieldForValue> and <fieldForLabel> to mac_address

<fieldForValue>mac_address</fieldForValue>
<fieldForLabel>mac_address</fieldForLabel>

You don't have to use the same field for both if your search returns something more user friendly

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2022 07:36 AM

You can chart multiple mac_addresses for the same counter like this:

| where key="counter_01"
| timechart values(value) by mac_address

 You could also populate a multi-select dropdown with values from an index search

index=your index
| dedup mac_address
| fields mac_address

For this, you would set <fieldForValue> and <fieldForLabel> to mac_address

<fieldForValue>mac_address</fieldForValue>
<fieldForLabel>mac_address</fieldForLabel>

You don't have to use the same field for both if your search returns something more user friendly

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...