Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How can I modify search based on token value?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I modify search based on token value?
stevenbutterwor
Path Finder
02-15-2018
03:38 AM
I am attempting to build a dashboard panel using the below search:
index="dcs_performance_data" WellNumber=$well$ TagName=15FQ011* | stats latest(eval(if(TagName="15FQ011W_15",TagValue,null()))) as Out, latest(eval(if(TagName="15FQ011I_15",TagValue,null()))) as In by WellNumber | eval Level=In-Out | chart values(Level)
As you can see the WellNumber element is populated by a user input (drop down) in the dashboard. What I would also like to do is modify the TagName in the first eval statement based on the $well$ token. For example, if a user was to select H307 as the WellNumber, this would modify the final two characters of the TagName to 07 (suffix).
I already have a lookup which correlates WellNumber to the suffix, so I'm sure this will help somehow?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
02-15-2018
05:35 AM
try this:
index="dcs_performance_data" WellNumber=$well$ TagName=15FQ011* |lookup lookname_name WellNumber output suffix|rex mode=sed field=tagname "s/([^_]+_).*/\1/"|eval tagname=tagname.suffix
If I understood correctly after join using lookup command you will get tagname, suffix, WellNumber...if so try this run anywhere search:
|makeresults|eval tagname="15FQ011W_15", suffix="07"|rex mode=sed field=tagname "s/([^_]+_).*/\1/"|eval tagname=tagname.suffix
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
stevenbutterwor
Path Finder
02-15-2018
06:19 AM
Thanks for your answer. That seems to be working but how do I insert the resulting TagName's into my dynamic dashboard panel? E.g. into my stats eval calculation?
...| stats latest(eval(if(TagName="15FQ011W_15",TagValue,null()))) as Out, latest(eval(if(TagName="15FQ011I_15",TagValue,null()))) as In by WellNumber | eval Level=In-Out | chart values(Level)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
02-15-2018
06:23 AM
can you specify in detail what are you expecting ? also not able to understand dynamic dashboard panel?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
stevenbutterwor
Path Finder
02-15-2018
06:45 AM
Thanks for your help so far.....
If you look at the original search:
index="dcs_performance_data" WellNumber=H315 | stats latest(eval(if(TagName="15FQ011W_15",TagValue,null()))) as Out, latest(eval(if(TagName="15FQ011I_15",TagValue,null()))) as In by WellNumber | eval Level=In-Out | chart values(Level)
You can see the WellNumber is H315 and the TagName suffix is 15. What I want to do is change the TagName suffix automatically when I change the WellNumber value. The suffix values (TagObject) are related to each other in the lookup I mentioned.
E.g. if I insert H307 as the WellNumber then the TagName becomes 15FQ011W_7, instead of _15 as shown in the example.
I hope that makes some sense?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
02-15-2018
07:04 AM
from where these TagName value is getting populating in eval expression? ...I can see these are different..like 15FQ011W_15, 15FQ011I_15
and after using rex are you getting 15FQ011W_7 instead of 15FQ011W_15 when WellNumber is H307?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
stevenbutterwor
Path Finder
02-15-2018
07:20 AM
I have entered them manually.
When I use the
index="dcs_performance_data" WellNumber=H307 TagName=15FQ011* |lookup lookname_name WellNumber output suffix|rex mode=sed field=tagname "s/([^_]+_).*/\1/"|eval tagname=tagname.suffix
It does return the correct TagName but I'm unsure how to insert these into my eval automatically?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
02-15-2018
07:26 AM
if you only change last eval by Tagname instaed of tagname then it will be used in stats eval query...
index="dcs_performance_data" WellNumber=H307 TagName=15FQ011* |lookup lookname_name WellNumber output suffix|rex mode=sed field=tagname "s/([^_]+_).*/\1/"|eval Tagname=tagname.suffix| stats latest(eval(if(TagName="15FQ011W_15",TagValue,null()))) as Out, latest(eval(if(TagName="15FQ011I_07",TagValue,null()))) as In by WellNumber | eval Level=In-Out | chart values(Level)
Get Updates on the Splunk Community!
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
