topic Re: How can multiselect input accommodate logs with different field names for the same values? in Dashboards & Visualizations

How can multiselect input accommodate logs with different field names for the same values?

MonkeyK — Thu, 02 Feb 2017 23:37:28 GMT

My dashboard is based on a datamodel but it has drilldowns to the actual logs

If I have a multiselect for actions (A, B, C), I can set the valuePrefix with a delimiter of "OR"

<input type="multiselect" token="form_action">
      <label>Action</label>
      <choice value="=A">A</choice>
      <choice value="=B">B</choice>
      <choice value="=C">C</choice>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>DataModel.action</valuePrefix>
      <delimiter> OR </delimiter>
      <default>=A,=B</default>
      <initialValue>=A,=B</initialValue>
 </input>

So that based on selections, I can define DataModel search terms to

DataModel.action=A OR DataModel.action=B

However the actual event log does not have the field DataModel.action. It only has "action". So when I do a drilldown to the log events, I would like to be able so drill down to a search that includes

action=A OR action=B

The two ideas that I have to do this are

rename the prefix to just "action" and delay my datamodel search terms until after I have selected from my datamodel:

|tstats count from datamode=DataModel by DataModel.action | eval action=DataModel.action | search $form_action$
create field alias for my log source field action called DataModel.action then searches for DataModel.action should work

IMO, the first option is bad because it does not allow further variation in log sources. So if I had visualizations that might drill down to different log sources, with different field names for "action", I could not create those drill downs
The second option is slightly better but I would also not like to start creating aliases for logs source to match data models

Is there a better way to do this?

Re: How can multiselect input accommodate logs with different field names for the same values?

cmerriman — Fri, 03 Feb 2017 12:49:19 GMT

have you tried putting the token inside the tstats?

|tstats count from datamode=DataModel  where $form_action$ by DataModel.action

https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Tstats

Re: How can multiselect input accommodate logs with different field names for the same values?

MonkeyK — Fri, 03 Feb 2017 17:42:40 GMT

Does that resolve multiple values from the multiselect? I am thinking not.

Re: How can multiselect input accommodate logs with different field names for the same values?

MonkeyK — Wed, 08 Feb 2017 02:45:32 GMT

Yeah. I tried it and that does not handle the multiple values

Re: How can multiselect input accommodate logs with different field names for the same values?

cmerriman — Wed, 08 Feb 2017 12:42:35 GMT

i just made a dashboard with tstats and used the same multiselect XML as yours above and am able to click one or both of them and the data is showing. check my edit. I had a typo.

Re: How can multiselect input accommodate logs with different field names for the same values?

MonkeyK — Wed, 08 Feb 2017 17:29:09 GMT

Yes, your edit is what I had been doing. As noted in my qestion, the multi-select works on a single source.
My problem occurs when I want to drill down or use the same input for a source that names the field differently. My question is looking for a best way to handle that.

Re: How can multiselect input accommodate logs with different field names for the same values?

MonkeyK — Wed, 08 Feb 2017 17:38:17 GMT

I have recently learned that I can create a new token using eval:

in the case of my drilldown, inside the drilldown definition, I can do:

<drilldown target="_blank">
          <set token="newAction">$form_action$</set>
          <eval token="newAction">replace($form_action$,"DataModel.action","action")</eval>
          <eval token="newAction">replace($newAction$,"DataModel.action","action")</eval>
...
</drilldown>

Re: How can multiselect input accommodate logs with different field names for the same values?

cmerriman — Thu, 09 Feb 2017 02:09:05 GMT

You beat me to it! I was sitting at home thinking about this and I thought, "oh an eval would work, I'll quick add a comment" but I hadn't noticed that you've posted so long ago!