topic Re: using multiselect to concatenate fields into a compound key in Splunk Search

using multiselect to concatenate fields into a compound key

mschellhouse — Fri, 27 Apr 2018 18:57:35 GMT

We have a dashboard where the user can select multiple in a multiselect input field. Those values correspond to column in a splunk table. We want to be able to concatenate those columns, based on selection, so that we can easily chart the timeseries. We are struggling to get the dynamic list resolved in SPL to concatenate the fields.

multiselect options -
Host
Environment
Node Group
etc...

If we select all three, we want to create a new field in each row of the data that contains the 'Host':'Environment':'Node Group'. Sort of like creating a compound key for that summary row. The next user might select 'Node Group':'Environment'. Any suggestions?

Re: using multiselect to concatenate fields into a compound key

cmerriman — Fri, 27 Apr 2018 20:13:07 GMT

if you use a regex, you might be able to do something. The regex below is saying that the input itself is input=Environment OR input=....

Re: using multiselect to concatenate fields into a compound key

TISKAR — Fri, 27 Apr 2018 20:27:19 GMT

@mschellhouse , can you try this please:

<fieldset submitButton="false">
    <input type="multiselect" token="field1">
      <label>field1</label>
      <choice value="Host">Host</choice>
      <choice value="Environment">Environment</choice>
      <choice value="Node Group">Node Group</choice>
      <delimiter>:</delimiter>
      <valuePrefix>'</valuePrefix>
      <valueSuffix>'</valueSuffix>
    </input>
  </fieldset>

Re: using multiselect to concatenate fields into a compound key

mschellhouse — Tue, 29 Sep 2020 19:23:01 GMT

Thanks for trying but neither examples work for us. here is the exact query. The idea is to use the multiselect on a dashboard to replace what is currently a static list. The example below highlights one static selection ('host'+ ":"+ 'assetGroup').

| tstats max("CPU.lpar_vp_usage") AS vp_usage max("CPU.cpu_PCT") AS pct_usage values(CPU.assetGroup) AS assetGroup values(CPU.assetAreaName) AS assetAreaName values(CPU.assetName) AS assetName values(CPU.assetColor) AS assetColor values(CPU.nodeType) AS nodeType values(CPU.nodeGroup) AS nodeGroup values(CPU.cluster) AS cluster values(CPU.awsAutoScalingGroupId) AS awsAutoScalingGroupId
from datamodel=NMON_Data_CPU
where (nodename = CPU) (CPU.type="CPU_ALL" OR CPU.type="LPAR") (host="")
by _time, host, CPU.assetGroup, CPU.assetAreaName, CPU.assetName span=1m
| search (assetGroup="prod") (assetAreaName ="") (assetName ="USA") (assetColor = "") (nodeType="") (nodeGroup="") (cluster ="") (awsAutoScalingGroupId="*")
| eval dd1='host'+ ":"+ 'assetGroup'
| stats dedup_splitvals=t max("pct_usage") AS pct_usage by _time, host, assetGroup, assetAreaName, assetName, dd1
| eval usage=if(isnum(vp_usage), vp_usage, pct_usage)
| timechart useother=f limit=0 avg(usage) AS "CPU usage" by dd1

Re: using multiselect to concatenate fields into a compound key

mschellhouse — Mon, 30 Apr 2018 15:16:28 GMT

Answering my own question on this one...
A simple delimiter of +":"+ on the multiselect input did the trick.