Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How can multiselect input accommodate logs with di...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My dashboard is based on a datamodel but it has drilldowns to the actual logs
If I have a multiselect for actions (A, B, C), I can set the valuePrefix with a delimiter of "OR"
<input type="multiselect" token="form_action">
<label>Action</label>
<choice value="=A">A</choice>
<choice value="=B">B</choice>
<choice value="=C">C</choice>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>DataModel.action</valuePrefix>
<delimiter> OR </delimiter>
<default>=A,=B</default>
<initialValue>=A,=B</initialValue>
</input>
So that based on selections, I can define DataModel search terms to
DataModel.action=A OR DataModel.action=B
However the actual event log does not have the field DataModel.action. It only has "action". So when I do a drilldown to the log events, I would like to be able so drill down to a search that includes
action=A OR action=B
The two ideas that I have to do this are
rename the prefix to just "action" and delay my datamodel search terms until after I have selected from my datamodel:
|tstats count from datamode=DataModel by DataModel.action | eval action=DataModel.action | search $form_action$
create field alias for my log source field action called DataModel.action then searches for DataModel.action should work
IMO, the first option is bad because it does not allow further variation in log sources. So if I had visualizations that might drill down to different log sources, with different field names for "action", I could not create those drill downs
The second option is slightly better but I would also not like to start creating aliases for logs source to match data models
Is there a better way to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have recently learned that I can create a new token using eval:
in the case of my drilldown, inside the drilldown definition, I can do:
<drilldown target="_blank">
<set token="newAction">$form_action$</set>
<eval token="newAction">replace($form_action$,"DataModel.action","action")</eval>
<eval token="newAction">replace($newAction$,"DataModel.action","action")</eval>
...
</drilldown>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have recently learned that I can create a new token using eval:
in the case of my drilldown, inside the drilldown definition, I can do:
<drilldown target="_blank">
<set token="newAction">$form_action$</set>
<eval token="newAction">replace($form_action$,"DataModel.action","action")</eval>
<eval token="newAction">replace($newAction$,"DataModel.action","action")</eval>
...
</drilldown>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You beat me to it! I was sitting at home thinking about this and I thought, "oh an eval would work, I'll quick add a comment" but I hadn't noticed that you've posted so long ago!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
have you tried putting the token inside the tstats?
|tstats count from datamode=DataModel where $form_action$ by DataModel.action
https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Tstats
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does that resolve multiple values from the multiselect? I am thinking not.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah. I tried it and that does not handle the multiple values
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i just made a dashboard with tstats and used the same multiselect XML as yours above and am able to click one or both of them and the data is showing. check my edit. I had a typo.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, your edit is what I had been doing. As noted in my qestion, the multi-select works on a single source.
My problem occurs when I want to drill down or use the same input for a source that names the field differently. My question is looking for a best way to handle that.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
