How to change Splunk query dynamically based on us...

Dashboards & Visualizations

I have a splunk dashboard with dropdown as different client names : A,B,C,ALL.

There will be logs for each client and then I need to search and print the count of selected client from logs, I am able to do that if a user selects A ,B or C, but there is no such client as ALL, if a user selects all, I want to see all logs for A,B,C and sum them and show them in dashboard.

A log look like:

Client Map Details : {A=123, B=245, C=456}

If a user selects A, we show 123 and plot on graph

If a user selects B, we show 245 and plot on graph

If a user selects C, we show 456 and plot on graph

Query for above:

index=temp  sourcetype="xyz" "Client Map Details : " "A"  | rex field=_raw "A=(?<count>\d+)" |  table _time count

But how can I change query based on user input "ALL" and run another splunk query that will see all such lines , and iterate over map and sum each value, 123+456+245 and then give a value to plot?

How do we change slunk query based on user input from dashboard ?

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...