Dashboard Studio adding prefix & suffix problem

ChillaXin · ‎01-23-2024

Hi, everyone,

I have an old dashboard that I want to convert to the Dashboard Studio format. However, it seems that the new Dashboard Studio does not support the use of prefix, suffix, and delimiter in the same way. Is there any way to achieve the same effect using a search query?

datadevops · ‎01-28-2024

Hi there,

While Studio doesn't directly support prefix, suffix, and delimiter the same way, here are some workarounds using search queries:

1. Concatenate Strings:

Use the concat or mvexpand functions in your search query to combine desired elements (prefix, value, suffix, delimiter) into a single field.

Example:

index=_internal | search name="myMetric" | eval combinedValue=concat("prefix_", value, "_suffix", "|")

2. Leverage Panel Formatting:

Customize panel formatting options like titles, labels, and tooltips to display combined values as needed.

3. Utilize Calculated Fields:

Create calculated fields in your search query to pre-process data and ensure the desired format within the panel.

4. Consider Panel Types:

Explore different panel types in Studio that might natively support your formatting needs (e.g., single value panels, charts with custom labels).

5. Reference Older Formats:

In Studio, you can still reference and embed panels from your old dashboard format, providing some continuity while exploring new features.

Remember:

Adapt the specific solution based on your dashboard's unique requirements and desired output format.
Experiment with different approaches and panel configurations to find the best fit for your use case.

~ If the reply helps, a Karma upvote would be appreciated

ChillaXin · ‎01-29-2024

HI,

I concatenate strings that I want successfully, but i can't use it to find data when I put the strings into subsearch.

Here's my code below:

bowesmana · ‎01-29-2024

I would suggest not using mvexpand, as in your example search - in your example you will triple the raw events.

Can you provide a sample of the inputs you want to be able to select

DS makes a multiselect token= a,b,c so you can use this logic in your search that wants to use the token

index=your_index 
    [ 
  | makeresults
  | fields - _time
  | eval  <your_field_name>=split("$token$", ",")
  | mvexpand <your_field_name>
]

How were you using prefix/suffix/delim in your old dashboard?

ChillaXin · ‎01-30-2024

Hi,

I use a multiselect drilldown input to select items I want to check, so the inputs would be like

"NB, IPhone, Mac, PC", or

"NB, IPhone"

and I want to change inputs into another format like below so I can use it in subsearch:

Device=NB OR Device=IPhone OR Device=Mac OR Device=PC

bowesmana · ‎01-30-2024

That's exactly what the subsearch will do. The output of a subsearch is to make

<field>=<value> OR <field>=<value>...

where the results of the subsearch are in a table with field name 'field'. You can see the output of the subsearch just by running the search manually as a normal search and adding

| format

to the end of the search, which is implicit in the subsearch

Dashboard Studio adding prefix & suffix problem

Classic dashboard

Dashboard Studio

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector