Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How can I modify search based on token value?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I modify search based on token value?
stevenbutterwor
Path Finder
02-15-2018
03:38 AM
I am attempting to build a dashboard panel using the below search:
index="dcs_performance_data" WellNumber=$well$ TagName=15FQ011* | stats latest(eval(if(TagName="15FQ011W_15",TagValue,null()))) as Out, latest(eval(if(TagName="15FQ011I_15",TagValue,null()))) as In by WellNumber | eval Level=In-Out | chart values(Level)
As you can see the WellNumber element is populated by a user input (drop down) in the dashboard. What I would also like to do is modify the TagName in the first eval statement based on the $well$ token. For example, if a user was to select H307 as the WellNumber, this would modify the final two characters of the TagName to 07 (suffix).
I already have a lookup which correlates WellNumber to the suffix, so I'm sure this will help somehow?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
02-15-2018
05:35 AM
try this:
index="dcs_performance_data" WellNumber=$well$ TagName=15FQ011* |lookup lookname_name WellNumber output suffix|rex mode=sed field=tagname "s/([^_]+_).*/\1/"|eval tagname=tagname.suffix
If I understood correctly after join using lookup command you will get tagname, suffix, WellNumber...if so try this run anywhere search:
|makeresults|eval tagname="15FQ011W_15", suffix="07"|rex mode=sed field=tagname "s/([^_]+_).*/\1/"|eval tagname=tagname.suffix
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
stevenbutterwor
Path Finder
02-15-2018
06:19 AM
Thanks for your answer. That seems to be working but how do I insert the resulting TagName's into my dynamic dashboard panel? E.g. into my stats eval calculation?
...| stats latest(eval(if(TagName="15FQ011W_15",TagValue,null()))) as Out, latest(eval(if(TagName="15FQ011I_15",TagValue,null()))) as In by WellNumber | eval Level=In-Out | chart values(Level)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
02-15-2018
06:23 AM
can you specify in detail what are you expecting ? also not able to understand dynamic dashboard panel?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
stevenbutterwor
Path Finder
02-15-2018
06:45 AM
Thanks for your help so far.....
If you look at the original search:
index="dcs_performance_data" WellNumber=H315 | stats latest(eval(if(TagName="15FQ011W_15",TagValue,null()))) as Out, latest(eval(if(TagName="15FQ011I_15",TagValue,null()))) as In by WellNumber | eval Level=In-Out | chart values(Level)
You can see the WellNumber is H315 and the TagName suffix is 15. What I want to do is change the TagName suffix automatically when I change the WellNumber value. The suffix values (TagObject) are related to each other in the lookup I mentioned.
E.g. if I insert H307 as the WellNumber then the TagName becomes 15FQ011W_7, instead of _15 as shown in the example.
I hope that makes some sense?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
02-15-2018
07:04 AM
from where these TagName value is getting populating in eval expression? ...I can see these are different..like 15FQ011W_15, 15FQ011I_15
and after using rex are you getting 15FQ011W_7 instead of 15FQ011W_15 when WellNumber is H307?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
stevenbutterwor
Path Finder
02-15-2018
07:20 AM
I have entered them manually.
When I use the
index="dcs_performance_data" WellNumber=H307 TagName=15FQ011* |lookup lookname_name WellNumber output suffix|rex mode=sed field=tagname "s/([^_]+_).*/\1/"|eval tagname=tagname.suffix
It does return the correct TagName but I'm unsure how to insert these into my eval automatically?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
02-15-2018
07:26 AM
if you only change last eval by Tagname instaed of tagname then it will be used in stats eval query...
index="dcs_performance_data" WellNumber=H307 TagName=15FQ011* |lookup lookname_name WellNumber output suffix|rex mode=sed field=tagname "s/([^_]+_).*/\1/"|eval Tagname=tagname.suffix| stats latest(eval(if(TagName="15FQ011W_15",TagValue,null()))) as Out, latest(eval(if(TagName="15FQ011I_07",TagValue,null()))) as In by WellNumber | eval Level=In-Out | chart values(Level)
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
