How to change Splunk query dynamically based on us...

Dashboards & Visualizations

I have a splunk dashboard with dropdown as different client names : A,B,C,ALL.

There will be logs for each client and then I need to search and print the count of selected client from logs, I am able to do that if a user selects A ,B or C, but there is no such client as ALL, if a user selects all, I want to see all logs for A,B,C and sum them and show them in dashboard.

A log look like:

Client Map Details : {A=123, B=245, C=456}

If a user selects A, we show 123 and plot on graph

If a user selects B, we show 245 and plot on graph

If a user selects C, we show 456 and plot on graph

Query for above:

index=temp  sourcetype="xyz" "Client Map Details : " "A"  | rex field=_raw "A=(?<count>\d+)" |  table _time count

But how can I change query based on user input "ALL" and run another splunk query that will see all such lines , and iterate over map and sum each value, 123+456+245 and then give a value to plot?

How do we change slunk query based on user input from dashboard ?

Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and stall ...

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

Are you ready to uncover the threats hiding in plain sight? Join us for "Print, Leak, Repeat: UEBA Insider ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...