Dashboards & Visualizations

How can I modify search based on token value?

stevenbutterwor
Path Finder

I am attempting to build a dashboard panel using the below search:

index="dcs_performance_data" WellNumber=$well$ TagName=15FQ011* | stats latest(eval(if(TagName="15FQ011W_15",TagValue,null()))) as Out, latest(eval(if(TagName="15FQ011I_15",TagValue,null()))) as In by WellNumber | eval Level=In-Out | chart values(Level)

As you can see the WellNumber element is populated by a user input (drop down) in the dashboard. What I would also like to do is modify the TagName in the first eval statement based on the $well$ token. For example, if a user was to select H307 as the WellNumber, this would modify the final two characters of the TagName to 07 (suffix).

I already have a lookup which correlates WellNumber to the suffix, so I'm sure this will help somehow?

0 Karma

493669
Super Champion

try this:

index="dcs_performance_data" WellNumber=$well$ TagName=15FQ011* |lookup lookname_name WellNumber output suffix|rex mode=sed field=tagname "s/([^_]+_).*/\1/"|eval tagname=tagname.suffix

If I understood correctly after join using lookup command you will get tagname, suffix, WellNumber...if so try this run anywhere search:

|makeresults|eval tagname="15FQ011W_15", suffix="07"|rex mode=sed field=tagname "s/([^_]+_).*/\1/"|eval tagname=tagname.suffix
0 Karma

stevenbutterwor
Path Finder

Thanks for your answer. That seems to be working but how do I insert the resulting TagName's into my dynamic dashboard panel? E.g. into my stats eval calculation?

...| stats latest(eval(if(TagName="15FQ011W_15",TagValue,null()))) as Out, latest(eval(if(TagName="15FQ011I_15",TagValue,null()))) as In by WellNumber | eval Level=In-Out | chart values(Level)
0 Karma

493669
Super Champion

can you specify in detail what are you expecting ? also not able to understand dynamic dashboard panel?

0 Karma

stevenbutterwor
Path Finder

Thanks for your help so far.....

If you look at the original search:

index="dcs_performance_data" WellNumber=H315 | stats latest(eval(if(TagName="15FQ011W_15",TagValue,null()))) as Out, latest(eval(if(TagName="15FQ011I_15",TagValue,null()))) as In by WellNumber | eval Level=In-Out | chart values(Level)

You can see the WellNumber is H315 and the TagName suffix is 15. What I want to do is change the TagName suffix automatically when I change the WellNumber value. The suffix values (TagObject) are related to each other in the lookup I mentioned.

E.g. if I insert H307 as the WellNumber then the TagName becomes 15FQ011W_7, instead of _15 as shown in the example.

I hope that makes some sense?

0 Karma

493669
Super Champion

from where these TagName value is getting populating in eval expression? ...I can see these are different..like 15FQ011W_15, 15FQ011I_15
and after using rex are you getting 15FQ011W_7 instead of 15FQ011W_15 when WellNumber is H307?

0 Karma

stevenbutterwor
Path Finder

I have entered them manually.

When I use the

index="dcs_performance_data" WellNumber=H307 TagName=15FQ011* |lookup lookname_name WellNumber output suffix|rex mode=sed field=tagname "s/([^_]+_).*/\1/"|eval tagname=tagname.suffix

It does return the correct TagName but I'm unsure how to insert these into my eval automatically?

0 Karma

493669
Super Champion

if you only change last eval by Tagname instaed of tagname then it will be used in stats eval query...

index="dcs_performance_data" WellNumber=H307 TagName=15FQ011* |lookup lookname_name WellNumber output suffix|rex mode=sed field=tagname "s/([^_]+_).*/\1/"|eval Tagname=tagname.suffix| stats latest(eval(if(TagName="15FQ011W_15",TagValue,null()))) as Out, latest(eval(if(TagName="15FQ011I_07",TagValue,null()))) as In by WellNumber | eval Level=In-Out | chart values(Level)
0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...