Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: dynamic valueSuffix tag
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fsaporito
Explorer
12-11-2019
12:29 AM
Hello,
I have this checkbox in my dashboard:
<input type="multiselect" token="t_case" searchWhenChanged="true">
<label>Cases</label>
<search base="base">
<query>| dedup Rule</query>
</search>
<delimiter> , </delimiter>
<fieldForLabel>Rule</fieldForLabel>
<fieldForValue>Rule</fieldForValue>
<default>FUAA01,NML02,WML01,WML02</default>
<valuePrefix>count(eval(Rule="</valuePrefix>
<valueSuffix>")) AS $value$</valueSuffix>
</input>
the problem is valueSuffix, it seems cannot be "dynamic" (i.e. the suffix is totally missing because it seems it cannot evaluate $value$ and it's totally lost).
this token is evaluated in a chart command and this should be the final output (with two selected values, for example):
chart count(eval(Rule="FUAA01")) AS FUAA101 , count(eval(Rule="NML02")) AS NML02 over date_month by CustomerID
Is there a way to achieve that, only with XML?
thanks,
Fausto
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
12-22-2019
03:34 PM
Dashboard Input:
<input type="multiselect" token="t_case" searchWhenChanged="true">
<label>Cases</label>
<fieldForLabel>Rule</fieldForLabel>
<fieldForValue>case</fieldForValue>
<search base="base">
<query>
| dedup Rule
| mvcombine Rule
| eval prefix="count(eval(Rule=\""
| eval sufix="\")) AS "
| mvexpand Rule
| eval case=prefix.Rule.sufix.Rule
| table case Rule</query>
</search>
<delimiter> </delimiter>
<default>"count(eval(Rule=""FUAA01"")) AS FUAA01","count(eval(Rule=""NML02"")) AS NML02","count(eval(Rule=""WML01"")) AS WML01","count(eval(Rule=""WML02"")) AS WML02"</default>
</input>
Query:
| chart $t_case$ over date_month by CustomerID
My sample XML:
<form>
<label>dynamic token</label>
<fieldset submitButton="false">
<input type="multiselect" token="t_case" searchWhenChanged="true">
<label>Cases</label>
<fieldForLabel>Rule</fieldForLabel>
<fieldForValue>case</fieldForValue>
<search>
<query>| makeresults
| eval Rule=split("FUAA01,NML02,WML01,WML02",",")
| mvexpand Rule
| table Rule
| mvcombine Rule
| eval prefix="count(eval(Rule=\""
| eval sufix="\")) AS "
| mvexpand Rule
| eval case=prefix.Rule.sufix.Rule
| table case Rule</query>
</search>
<delimiter> </delimiter>
<default>"count(eval(Rule=""FUAA01"")) AS FUAA01"</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-1y@d"), relative_time(_time,"@d"))
| makecontinuous span=1d _time
| eval Rule=mvindex(split("FUAA01,NML02,WML01,WML02",","),(random() % 4))
| eval CustomerID="ID".(random() % 5 + 1)
| table _time CustomerID Rule
| eval date_month=strftime(_time,"%m")
| chart $t_case$ over date_month by CustomerID</query>
<earliest>-1d@d</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
Hi, @fsaporito
I managed to do it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
12-22-2019
03:34 PM
Dashboard Input:
<input type="multiselect" token="t_case" searchWhenChanged="true">
<label>Cases</label>
<fieldForLabel>Rule</fieldForLabel>
<fieldForValue>case</fieldForValue>
<search base="base">
<query>
| dedup Rule
| mvcombine Rule
| eval prefix="count(eval(Rule=\""
| eval sufix="\")) AS "
| mvexpand Rule
| eval case=prefix.Rule.sufix.Rule
| table case Rule</query>
</search>
<delimiter> </delimiter>
<default>"count(eval(Rule=""FUAA01"")) AS FUAA01","count(eval(Rule=""NML02"")) AS NML02","count(eval(Rule=""WML01"")) AS WML01","count(eval(Rule=""WML02"")) AS WML02"</default>
</input>
Query:
| chart $t_case$ over date_month by CustomerID
My sample XML:
<form>
<label>dynamic token</label>
<fieldset submitButton="false">
<input type="multiselect" token="t_case" searchWhenChanged="true">
<label>Cases</label>
<fieldForLabel>Rule</fieldForLabel>
<fieldForValue>case</fieldForValue>
<search>
<query>| makeresults
| eval Rule=split("FUAA01,NML02,WML01,WML02",",")
| mvexpand Rule
| table Rule
| mvcombine Rule
| eval prefix="count(eval(Rule=\""
| eval sufix="\")) AS "
| mvexpand Rule
| eval case=prefix.Rule.sufix.Rule
| table case Rule</query>
</search>
<delimiter> </delimiter>
<default>"count(eval(Rule=""FUAA01"")) AS FUAA01"</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-1y@d"), relative_time(_time,"@d"))
| makecontinuous span=1d _time
| eval Rule=mvindex(split("FUAA01,NML02,WML01,WML02",","),(random() % 4))
| eval CustomerID="ID".(random() % 5 + 1)
| table _time CustomerID Rule
| eval date_month=strftime(_time,"%m")
| chart $t_case$ over date_month by CustomerID</query>
<earliest>-1d@d</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
Hi, @fsaporito
I managed to do it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fsaporito
Explorer
01-08-2020
10:51 PM
Very very nice solution indeed! Perfect!
Thanks a lot!
Get Updates on the Splunk Community!
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
Tuesday, May 14, 2024 | 11AM PT / 2PM ET
Register to Attend
Join us for this Tech Talk and learn how to ...
.conf24 | Personalize your .conf experience with Learning Paths!
Personalize your .conf24 Experience
Learning paths allow you to level up your skill sets and dive deeper ...
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...
