Dashboards & Visualizations

Dashboard Dropdown Question

New Member

Hello all!

I'm trying to build dropdowns in a dashboard for fields I've built via 'rex field' and eval statements seen in the search below.

I am having trouble tying these fields into $token$ values.

I've tried placing them into the search in a couple of different places, but the search just fails:

Here is the search as it is built currently. Thanks for any direction you can provide.

index=pcf_* cf_org_name="Network Software Development and Automation" cf_space_name="Development" cf_app_name=*privatecloud-dev* msg=*VALUES* *user_logs* user="$fields,0$"

| rex field=msg "VALUES (?<valuees>.*)"

| eval fields=split(valuees,"'") | eval user=mvindex(fields,0)

| eval user=mvindex(fields,1)

| eval method=mvindex(fields,3)

| eval page=mvindex(fields,5)

| eval params=mvindex(fields,7)

| eval datetime =mvindex(fields,9)

| search user=$"fields,0"$

| stats count by datetime user method page params

0 Karma

New Member

@gcusello , thank you!

Here is the search code:

index=pcf_* cf_org_name="Network Software Development and Automation" cf_space_name="Development" cf_app_name=*privatecloud-dev* msg=*VALUES* *user_logs*
| rex field=msg "VALUES (?<valuees>.*)"
| eval fields=split(valuees,"'") | eval user=mvindex(fields,0) 
| eval user=mvindex(fields,1)
| eval method=mvindex(fields,3) 
| eval page=mvindex(fields,5) 
| eval params=mvindex(fields,7) 
| eval datetime =mvindex(fields,9)
| eval created_at=mvindex(fields,11) 
| eval updated_at=mvindex(fields,13) 
| stats count by datetime user method page params

I'm pulling the data from within the field called 'msg' (example below). I extract it to new fields so we can search and sort by that data.

Particulary this data:

user_logs (user, method, page, params, datetime, created_at, updated_at)

Here is an example of 'msg':

 UserLog Create (27.8ms)  INSERT INTO `user_logs` (`user`, `method`, `page`, `params`, `datetime`, `created_at`, `updated_at`) VALUES ('Opredelennov, Eugene', 'destroy', 'deployments', '{\"id\"=>132, \"apic_id\"=>1, \"decommission_standard_change_id\"=>\"CRQ000001518730\", \"decommission_standard_change_url\"=>\"https://remedy-test.lmig.com/arsys/shared/Ticket.jsp?ID=CRQ000001518730\", \"decommissioner_id\"=>2, \"name\"=>\"10G-VPC-test-vlan2508\", \"description\"=>\"10G-VPC-test-vlan2508\", \"provision_standard_change_id\"=>\"CRQ000001517986\", \"provision_standard_change_url\"=>\"https://remedy-test.lmig.com/arsys/shared/Ticket.jsp?ID=CRQ000001517986\", \"status\"=>\"Decommissioned\", \"user_id\"=>4, \"user_group_id\"=>nil}', '2020-03-16 14:50:42', '2020-03-16 14:50:42', '2020-03-16 14:50:42')

Thanks again.

0 Karma

Legend

Hi, @petersmiddy,
If you could put your code in the Code Sample (the button with 101010) I could help you to analyze the regexes, that I cannot correctly read now.
Then I see the comma in the token, what it means?

If you could share a sample of your data and of the search of the dropdown, I could help you with them.

Then, to use quotes with a token you have to put the full token (with $) inside quotes user="$fields,0$", as you did in the first bolded case but not in the second: Splunk recognize the token by the "$" chars.

Ciao.
Giuseppe

0 Karma