Dashboards & Visualizations

Get the number of events returned in a csv through a text input

learningsplunk
Path Finder

example file : Stocks.csv 

Stock tickerStock price
IBM120
NFLX240
APPL999

 

And in the dashboard it will show: 

Number of stocks selected by input3

User has a text input where they can put a search term that will search both columns at once. ( The token for the search query is $Stocks$)

If the user puts in say "L" 

This is what will return : 

Stock tickerStock price
NFLX240
APPL999
  

 

And in the dashboard it will show: 

Number of stocks selected by input2



I've tried this query : 

|inputlookup Stocks.csv |stats count as Total    ( which only gets the total number of stocks back in the csv file.... NOT the actual number of stocks selected by the user from their text input......)  

However is there any way possible to get the " Number of stocks selected by input" correctly ? 

Labels (1)
Tags (3)
0 Karma
1 Solution

niketn
Legend

@learningsplunk try the following, where token from the text box is $Stocks$

| inputlookup Stocks.csv where Stock_ticker="*$Stocks$*"
| stats count

 

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@learningsplunk try the following, where token from the text box is $Stocks$

| inputlookup Stocks.csv where Stock_ticker="*$Stocks$*"
| stats count

 

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

learningsplunk
Path Finder

One other question to add to this ,if there were multiple columns,  for example :

 

Stock TickerStock priceCompany NameAddressOwner
IBM120IBM1 Main StreetNeera
NFLX240Netflix23 Exchange BlvdJill
EE360Eric's Electric999 Ways And MeansEric
Spl480Splunk10 Joseph StreetPaul

 

And the user typed in  "ee"

I've tried with  : 

| inputlookup Stocks.csv where Stock_ticker="*$Stocks$*"|where Stock_price="*$Stocks$*" |where Company_Name ="*$Stocks$*" |where Address  ="*$Stocks$*" |where Owner ="*$Stocks$*" 
| stats count

and the return value is always 0..... is there  a way to return the number of rows  3,  instead of returning  an incorrect value of 0 or returning an incorrect value of 4 ?

 

Tags (1)
0 Karma

learningsplunk
Path Finder

Well then, looks like it works,! Wasn't aware that you could use the token to actually pass said value(s) in that statement.

niketn
Legend

@learningsplunk this would be a good Doc page to start reading about Tokens in Dashboards: https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...