Dashboards & Visualizations

Combine options in a dropdown menu

sarahw3
Explorer

A year or so ago I changed the way that I label cameras in my spreadsheet that I put into splunk. Ex. instead of PSP I am calling it 9845PSP. Is there something in the dropdown search string that I can add so that PSP and 9845PSP combine into one? It is hard because the format of the cameras is all different. Like one of the cameras we used to call LP2 and now we call it LP2CT1. I would prefer not to go back to my many years of data and change all the names. So far I have this as the search string: sourcetype="csv" State="$state$"|stats count by Camera|fields - count

I have very little experience with splunk and help would be greatly appreciated!!

0 Karma
1 Solution

woodcock
Esteemed Legend

This is a perfect use case for tags. Setup the tagging and then search by tag from now on. Cake.

View solution in original post

0 Karma

woodcock
Esteemed Legend

This is a perfect use case for tags. Setup the tagging and then search by tag from now on. Cake.

0 Karma

sarahw3
Explorer

Is there a way when I set up the tags to say anything containing PSA2 tag as PSA2? So 83472PSA2 and 6PSA2 would be tagged as PSA2?

0 Karma

woodcock
Esteemed Legend

No, but you can create an eventtype with wildcards and then use that. Also, once that is done, you can tag each eventtype and use tags that way.

0 Karma

sarahw3
Explorer

So I wouldn't be able to put Camera="*PSA2" as the field value pair? What would the eventtype look like?

0 Karma

woodcock
Esteemed Legend

Create an eventtype called PSA2 which has index=YouShouldAlwaysSpecifyAnIndex sourcetype=YourSourcetypeHere CameraName=PSA2* and then a tag called PSA2 which has eventtype=PSA2 and the definition. Then search:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=YourSourcetypeHere tag=PSA2
0 Karma

sarahw3
Explorer

It is not working for me. Sorry I am very very very new to splunk! So I have host="splunk" sourcetype="csv" Tunnel=*PSA2 in the search string of the eventtype and they tag as PSA2. When I search tag=PSA2, nothing comes up.

0 Karma

sarahw3
Explorer

JUST KIDDING!!! I had the wrong time frame! It works! Thank you soooooooooo much!!

0 Karma

DalJeanis
Legend

I'd probably create a lookup table

Camera     CameraGroup
PSP        PSP
9845PSP    PSP
LP2        LP2CT1
LP2CT1     LP2CT1     

Then have your dropdown box select the group name rather than the camera name. You could, as I have above, call the group either the same thing as you call the original or current cameras, or you could give them a different name entirely, your choice. The cool thing is, since that name/value is not in the data at all, you can change it any time you feel like it. This week, it's "PSP funky purple monkey"...


I'm gathering that you want to provide a dropdownlist of only those Cameras that were used in any given $state$ - not sure whether that might mean "Nevada" or "high resolution". Here's that code...

sourcetype="csv" State="$state$" 
| stats by Camera 
| lookup cameragroup Camera OUTPUT CameraGroup 
| stats by CameraGroup

Note that you don't have to use "count" and delete it, stats allows you to just leave it out.


Once the user has selected the state, then the CameraGroup, somewhere in your real search, you'll do a lookup to your cameragroup table and eliminate unmatched records.

sourcetype="csv" State="$state$" 
... possibly some other stuff ...
| lookup cameragroup Camera OUTPUT CameraGroup
| where CameraGroup = $CameraGroupToken$
| whatever the rest of your current search is

There are other, more efficient ways to set up the search code, but it's unlikely that the size of a human-created spreadsheet will have enough data that it matters.

That would look something like...

sourcetype="csv" State="$state$" [|inputlookup  cameragroup  | where CameraGroup = "$mytoken$" | table Camera ]
... possibly some other stuff ...
| lookup cameragroup Camera OUTPUT CameraGroup
| whatever the rest of your current search is
0 Karma

sarahw3
Explorer

I like the idea of the lookup table but I have thousands of camera names so it would be very tedious. Is there a way that I could make some sort of IF statement that like:

  • if the tunnel name contains four letters at the beginning then get rid of the numbers.
  • if the tunnel name contains CT1 at the end, get rid of the CT1
0 Karma

sbbadri
Motivator

May be you can change dropdown to multiselect or text field.

<input type="multiselect" token="camera_tok" searchWhenChanged="true">
<label> Select a Camera </label>
<choice value=""> ALL </choice>
<search>
<query>sourcetype=csv Stata=$state$ Camera=
| stats count by Camera| fields - count</query>

</search>
<fieldForLabel>Camera</fieldForLabel>
<fieldForValue>Camera>/fieldForValue>
<prefix/>
<valuePrefix>Camera=">/valuePrefix>
<valueSuffix>*">/valueSuffix>
<delimiter> OR >/delimiter>
<suffix/>

0 Karma

sarahw3
Explorer

Now it is not working with my panels. In my pannel I have Camera="$Camera$". Is there a way I can change that so it will use both the cameras I select?

0 Karma

sbbadri
Motivator

try this below,

<input type="multiselect" token="Camera" searchWhenChanged="true">

0 Karma

sbbadri
Motivator

@sarahw3
Try this option,

<input type="text" token="Camera_pre_tok">
<label>Optional: Filter camera populating </label>
<default>* </default>
</input>

Note: in text box you can give *PSP* it will give you PSP related values in the multiselect.

<input type="multiselect" token="Camera" searchWhenChanged="true">
<label> Select a Camera </label>
<choice value=""> ALL </choice>
<search>
<query>sourcetype=csv Stata=$state$ Camera=$Camera_pre_tok$ | stats count by Camera| fields - count</query>
</search>
<fieldForLabel>Camera</fieldForLabel>
<fieldForValue>Camera>/fieldForValue>
<prefix/>
<valuePrefix>Camera=">/valuePrefix>
<valueSuffix>*">/valueSuffix>
<delimiter> OR >/delimiter>
<suffix/>
</input>

0 Karma

sarahw3
Explorer

Brilliant!! Thank you so much!

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...