Dashboards & Visualizations

Dashboard Dropdown Question

petersmiddy
New Member

Hello all!

I'm trying to build dropdowns in a dashboard for fields I've built via 'rex field' and eval statements seen in the search below.

I am having trouble tying these fields into $token$ values.

I've tried placing them into the search in a couple of different places, but the search just fails:

Here is the search as it is built currently. Thanks for any direction you can provide.

index=pcf_* cf_org_name="Network Software Development and Automation" cf_space_name="Development" cf_app_name=*privatecloud-dev* msg=*VALUES* *user_logs* user="$fields,0$"

| rex field=msg "VALUES (?<valuees>.*)"

| eval fields=split(valuees,"'") | eval user=mvindex(fields,0)

| eval user=mvindex(fields,1)

| eval method=mvindex(fields,3)

| eval page=mvindex(fields,5)

| eval params=mvindex(fields,7)

| eval datetime =mvindex(fields,9)

| search user=$"fields,0"$

| stats count by datetime user method page params

0 Karma

petersmiddy
New Member

@gcusello , thank you!

Here is the search code:

index=pcf_* cf_org_name="Network Software Development and Automation" cf_space_name="Development" cf_app_name=*privatecloud-dev* msg=*VALUES* *user_logs*
| rex field=msg "VALUES (?<valuees>.*)"
| eval fields=split(valuees,"'") | eval user=mvindex(fields,0) 
| eval user=mvindex(fields,1)
| eval method=mvindex(fields,3) 
| eval page=mvindex(fields,5) 
| eval params=mvindex(fields,7) 
| eval datetime =mvindex(fields,9)
| eval created_at=mvindex(fields,11) 
| eval updated_at=mvindex(fields,13) 
| stats count by datetime user method page params

I'm pulling the data from within the field called 'msg' (example below). I extract it to new fields so we can search and sort by that data.

Particulary this data:

user_logs (user, method, page, params, datetime, created_at, updated_at)

Here is an example of 'msg':

 UserLog Create (27.8ms)  INSERT INTO `user_logs` (`user`, `method`, `page`, `params`, `datetime`, `created_at`, `updated_at`) VALUES ('Opredelennov, Eugene', 'destroy', 'deployments', '{\"id\"=>132, \"apic_id\"=>1, \"decommission_standard_change_id\"=>\"CRQ000001518730\", \"decommission_standard_change_url\"=>\"https://remedy-test.lmig.com/arsys/shared/Ticket.jsp?ID=CRQ000001518730\", \"decommissioner_id\"=>2, \"name\"=>\"10G-VPC-test-vlan2508\", \"description\"=>\"10G-VPC-test-vlan2508\", \"provision_standard_change_id\"=>\"CRQ000001517986\", \"provision_standard_change_url\"=>\"https://remedy-test.lmig.com/arsys/shared/Ticket.jsp?ID=CRQ000001517986\", \"status\"=>\"Decommissioned\", \"user_id\"=>4, \"user_group_id\"=>nil}', '2020-03-16 14:50:42', '2020-03-16 14:50:42', '2020-03-16 14:50:42')

Thanks again.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi, @petersmiddy,
If you could put your code in the Code Sample (the button with 101010) I could help you to analyze the regexes, that I cannot correctly read now.
Then I see the comma in the token, what it means?

If you could share a sample of your data and of the search of the dropdown, I could help you with them.

Then, to use quotes with a token you have to put the full token (with $) inside quotes user="$fields,0$", as you did in the first bolded case but not in the second: Splunk recognize the token by the "$" chars.

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...