For the first dropdown Panel I use $Type$ as a token, and I am able to use the "All" option. However, I have a second dropdown panel in my Splunk dashboard with options as well as "All". But the result of All should be all the dropdown options in it added together since there are values. However, I cannot use the wildcard symbol because the other dropdown selections uses the stats latest function, so using the wild card "All" will only take the "latest" instead of adding all the other dropdown values. So I have a new query that I would like to use for this one dropdown option. How do I implement that new query search for only when "All" is selected? Do I have to add a change tag in the Splunk xml for that option?
This is the query I want for whenever one of the options is chosen:
host=hostname sourcetype=syslog index=os_nix PMM_Status_Report| rex "(?P{.*})" | spath input=json_data path=json_path | mvexpand json_path | stats latest(Before_Today) as "Already Patched" by server_prefix, PatchActivityTitle, BusinessUnit |eval is_match=case(match("'$Type$'", "(?i)linux"), "linux", match("'$Type$'", "(?i)windows"), "windows", match("'$Type$'", "(?i)all"), "") |eval case = lower(PatchActivityTitle) | eval prefix=case(match("'$server_prefix2$'", "(?i)prdtx"), "prdtx", match("'$server_prefix2$'","(?i)prdjc"), "prdjc", match("'$server_prefix$'", "(?i)prded"), "prded", match("'$server_prefix$'", "(?i)all"), "")| table server_prefix, PatchActivityTitle, BusinessUnit, "Already Patched", is_match, case, prefix | where LIKE(server_prefix, "%".prefix."%") and LIKE(case,"%".is_match."%")| replace "'*'" WITH "*" | xyseries PatchActivityTitle, BusinessUnit, "Already Patched" | fillnull value=0
This is the query I want to show when the "ALL" option is chosen from the dropdown:
host=hostname sourcetype=syslog index=os_nix PMM_Status_Report| rex "(?P{.*})" | spath input=json_data path=json_path | mvexpand json_path | stats latest(Before_Today) as "Already Patched" by server_prefix, PatchActivityTitle, BusinessUnit | eval is_match=case(match("'$PatchActivityType$'", "(?i)linux"), "linux", match("'$PatchActivityType$'", "(?i)windows"), "windows") | eval case = lower(PatchActivityTitle) | stats sum("Already Patched") as "Patched" by PatchActivityTitle, BusinessUnit, is_match, case
| table PatchActivityTitle, BusinessUnit, "Patched", is_match, case| where LIKE(case, "%".is_match."%")
| xyseries PatchActivityTitle, BusinessUnit, "Patched"| replace "'*'" WITH "*"| fillnull value=0
... View more