A year or so ago I changed the way that I label cameras in my spreadsheet that I put into splunk. Ex. instead of PSP I am calling it 9845PSP. Is there something in the dropdown search string that I can add so that PSP and 9845PSP combine into one? It is hard because the format of the cameras is all different. Like one of the cameras we used to call LP2 and now we call it LP2CT1. I would prefer not to go back to my many years of data and change all the names. So far I have this as the search string: sourcetype="csv" State="$state$"|stats count by Camera|fields - count
I have very little experience with splunk and help would be greatly appreciated!!
This is a perfect use case for tags
. Setup the tagging and then search by tag from now on. Cake.
This is a perfect use case for tags
. Setup the tagging and then search by tag from now on. Cake.
Is there a way when I set up the tags to say anything containing PSA2 tag as PSA2? So 83472PSA2 and 6PSA2 would be tagged as PSA2?
No, but you can create an eventtype
with wildcards and then use that. Also, once that is done, you can tag each eventtype and use tags that way.
So I wouldn't be able to put Camera="*PSA2" as the field value pair? What would the eventtype look like?
Create an eventtype called PSA2
which has index=YouShouldAlwaysSpecifyAnIndex sourcetype=YourSourcetypeHere CameraName=PSA2*
and then a tag called PSA2
which has eventtype=PSA2
and the definition. Then search:
index=YouShouldAlwaysSpecifyAnIndex sourcetype=YourSourcetypeHere tag=PSA2
It is not working for me. Sorry I am very very very new to splunk! So I have host="splunk" sourcetype="csv" Tunnel=*PSA2
in the search string of the eventtype and they tag as PSA2. When I search tag=PSA2, nothing comes up.
JUST KIDDING!!! I had the wrong time frame! It works! Thank you soooooooooo much!!
I'd probably create a lookup table
Camera CameraGroup
PSP PSP
9845PSP PSP
LP2 LP2CT1
LP2CT1 LP2CT1
Then have your dropdown box select the group name rather than the camera name. You could, as I have above, call the group either the same thing as you call the original or current cameras, or you could give them a different name entirely, your choice. The cool thing is, since that name/value is not in the data at all, you can change it any time you feel like it. This week, it's "PSP funky purple monkey"...
I'm gathering that you want to provide a dropdownlist of only those Cameras that were used in any given $state$ - not sure whether that might mean "Nevada" or "high resolution". Here's that code...
sourcetype="csv" State="$state$"
| stats by Camera
| lookup cameragroup Camera OUTPUT CameraGroup
| stats by CameraGroup
Note that you don't have to use "count" and delete it, stats
allows you to just leave it out.
Once the user has selected the state, then the CameraGroup, somewhere in your real search, you'll do a lookup to your cameragroup table and eliminate unmatched records.
sourcetype="csv" State="$state$"
... possibly some other stuff ...
| lookup cameragroup Camera OUTPUT CameraGroup
| where CameraGroup = $CameraGroupToken$
| whatever the rest of your current search is
There are other, more efficient ways to set up the search code, but it's unlikely that the size of a human-created spreadsheet will have enough data that it matters.
That would look something like...
sourcetype="csv" State="$state$" [|inputlookup cameragroup | where CameraGroup = "$mytoken$" | table Camera ]
... possibly some other stuff ...
| lookup cameragroup Camera OUTPUT CameraGroup
| whatever the rest of your current search is
I like the idea of the lookup table but I have thousands of camera names so it would be very tedious. Is there a way that I could make some sort of IF statement that like:
May be you can change dropdown to multiselect or text field.
<input type="multiselect" token="camera_tok" searchWhenChanged="true">
<label> Select a Camera </label>
<choice value=""> ALL </choice>
<search>
<query>sourcetype=csv Stata=$state$ Camera= | stats count by Camera| fields - count</query>
</search>
<fieldForLabel>Camera</fieldForLabel>
<fieldForValue>Camera>/fieldForValue>
<prefix/>
<valuePrefix>Camera=">/valuePrefix>
<valueSuffix>*">/valueSuffix>
<delimiter> OR >/delimiter>
<suffix/>
Now it is not working with my panels. In my pannel I have Camera="$Camera$"
. Is there a way I can change that so it will use both the cameras I select?
try this below,
<input type="multiselect" token="Camera" searchWhenChanged="true">
@sarahw3
Try this option,
<input type="text" token="Camera_pre_tok">
<label>Optional: Filter camera populating </label>
<default>* </default>
</input>
Note: in text box you can give *PSP* it will give you PSP related values in the multiselect.
<input type="multiselect" token="Camera" searchWhenChanged="true">
<label> Select a Camera </label>
<choice value=""> ALL </choice>
<search>
<query>sourcetype=csv Stata=$state$ Camera=$Camera_pre_tok$ | stats count by Camera| fields - count</query>
</search>
<fieldForLabel>Camera</fieldForLabel>
<fieldForValue>Camera>/fieldForValue>
<prefix/>
<valuePrefix>Camera=">/valuePrefix>
<valueSuffix>*">/valueSuffix>
<delimiter> OR >/delimiter>
<suffix/>
</input>
Brilliant!! Thank you so much!