All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need Help with Search Command and Dashboard

luvukrishna
Engager
‎03-23-2017 01:48 AM

I am trying to create a dashboard that would return count on search, Currently I am getting "service" as input from user through drop-down and I am running search .
Example: when user selects "A" below search is run and result is displayed in panel as count
service="A" | stats count
similarly for other drop downs
service="B" | stats count
service="C" | stats count

I am new to Splunk , Is there a way I can run add all option in drop-down and get result for all fiends in drop-down in tabular format in panel

Required result: On selecting all option
Service | Count
A 10
B 20
C 30

0 Karma
Reply

jpass
Contributor
‎03-23-2017 05:39 AM

Something else to consider is using postprocess search. This way your base search doesn't have to run every time someone chooses an option in the dropdown.

See: http://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Post-process_searches

Here's the basic idea:

  • dashboard loads and runs a base search that generates the full list of stats:

    | STATS count BY Service

  • your input dropdown could access the values of 'Service' to dynamically populate your input options

  • you'll need to still add a static value to cover the * (all) option

  • your post process search, which dictates the values displayed on your dashboard, is simply:

    | SEARCH Service = $dropdown_value$

0 Karma
Reply

jpass
Contributor
‎03-23-2017 05:22 AM

do your search as:

| STATS count BY Service | SEARCH Service = $dropdown_value$

So your drop down has an option for "ALL" who's value is: *

When the user selects A:

| STATS count BY Service | SEARCH Service = "A"

When user selects ALL:
| STATS count BY serivce | SEARCH service = *

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...