Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Dashboard Dropdown Question

petersmiddy
New Member
‎03-19-2020 05:36 PM

Hello all!

I'm trying to build dropdowns in a dashboard for fields I've built via 'rex field' and eval statements seen in the search below.

I am having trouble tying these fields into $token$ values.

I've tried placing them into the search in a couple of different places, but the search just fails:

Here is the search as it is built currently. Thanks for any direction you can provide.

index=pcf_* cf_org_name="Network Software Development and Automation" cf_space_name="Development" cf_app_name=*privatecloud-dev* msg=*VALUES* *user_logs* user="$fields,0$"

| rex field=msg "VALUES (?<valuees>.*)"

| eval fields=split(valuees,"'") | eval user=mvindex(fields,0)

| eval user=mvindex(fields,1)

| eval method=mvindex(fields,3)

| eval page=mvindex(fields,5)

| eval params=mvindex(fields,7)

| eval datetime =mvindex(fields,9)

| search user=$"fields,0"$

| stats count by datetime user method page params

0 Karma
Reply

petersmiddy
New Member
‎03-20-2020 05:37 AM

@gcusello , thank you!

Here is the search code:

index=pcf_* cf_org_name="Network Software Development and Automation" cf_space_name="Development" cf_app_name=*privatecloud-dev* msg=*VALUES* *user_logs*
| rex field=msg "VALUES (?<valuees>.*)"
| eval fields=split(valuees,"'") | eval user=mvindex(fields,0) 
| eval user=mvindex(fields,1)
| eval method=mvindex(fields,3) 
| eval page=mvindex(fields,5) 
| eval params=mvindex(fields,7) 
| eval datetime =mvindex(fields,9)
| eval created_at=mvindex(fields,11) 
| eval updated_at=mvindex(fields,13) 
| stats count by datetime user method page params

I'm pulling the data from within the field called 'msg' (example below). I extract it to new fields so we can search and sort by that data.

Particulary this data:

user_logs (user, method, page, params, datetime, created_at, updated_at)

Here is an example of 'msg':

 UserLog Create (27.8ms)  INSERT INTO `user_logs` (`user`, `method`, `page`, `params`, `datetime`, `created_at`, `updated_at`) VALUES ('Opredelennov, Eugene', 'destroy', 'deployments', '{\"id\"=>132, \"apic_id\"=>1, \"decommission_standard_change_id\"=>\"CRQ000001518730\", \"decommission_standard_change_url\"=>\"https://remedy-test.lmig.com/arsys/shared/Ticket.jsp?ID=CRQ000001518730\", \"decommissioner_id\"=>2, \"name\"=>\"10G-VPC-test-vlan2508\", \"description\"=>\"10G-VPC-test-vlan2508\", \"provision_standard_change_id\"=>\"CRQ000001517986\", \"provision_standard_change_url\"=>\"https://remedy-test.lmig.com/arsys/shared/Ticket.jsp?ID=CRQ000001517986\", \"status\"=>\"Decommissioned\", \"user_id\"=>4, \"user_group_id\"=>nil}', '2020-03-16 14:50:42', '2020-03-16 14:50:42', '2020-03-16 14:50:42')

Thanks again.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-20-2020 12:38 AM

Hi, @petersmiddy,
If you could put your code in the Code Sample (the button with 101010) I could help you to analyze the regexes, that I cannot correctly read now.
Then I see the comma in the token, what it means?

If you could share a sample of your data and of the search of the dropdown, I could help you with them.

Then, to use quotes with a token you have to put the full token (with $) inside quotes user="$fields,0$", as you did in the first bolded case but not in the second: Splunk recognize the token by the "$" chars.

Ciao.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...