Dashboards & Visualizations

How to feed selected same dropdown value in two different fields in Splunk query

asingh4177
Engager

This is my splunk query to find out the percentage usage of devices under testing in our lab within a specific time range. I'm able to get the output as expected but getting issue in using the selected same dropdown value in dashboard to feed it to two different fields which I'm using in search query from two different indexes.

Resources{}.ReservationGroups and reservation_group are two different fields from two different indexes but both of them collect same values and I'm trying to feed this specific value from dropdown i.e "iOS1" to both the fields in order to get result for device utilization for particular reservation group. similarly If someone select any other value from dropdown it should be able to be feed into these 2 fields and provide the result accordingly.

 

index=X Resources{}.Agent.AgentName=agent* Resources{}.ReservationGroups=iOS1 | dedup device_symbolicname | table device_symbolicname, Resources{}.ReservationGroups | stats count by Resources{}.ReservationGroups | sort Resources{}.ReservationGroups | appendcols
[search index=Y scheduler_url="*sched*" is_agent=false reservation_group=iOS1 
| rename location as DUT, reservation_group as ReservationGroup
| dedup DUT
| stats count by ReservationGroup | rename count as pp_count | sort ReservationGroup] | eval pct_usage=count/pp_count*100

 

Labels (1)
Tags (2)
0 Karma

gcusello
Legend

Hi @asingh4177,

it isn't so fully clear your need and especially your need, but anuway I can give you some hint about your search:

at first fields like "Resources{}.Agent.AgentName" sometimes (espcially in eval commands) have problems, so, after the main search I hint to rename it in something without dots.

then if you have a a field in each index with the same content you could use eval=coalesce() to have only one field to use in grouping stats command, e.g. 

| rename Resources{}.ReservationGroups AS ReservationGroups
| eval reservation_group=coalesce(ReservationGroups, reservation_group)

at least, after a stats command you have only the fields contained in the stats, in your case you have only count and ReservationGroup, but, if you rename count AS pp_count , you don't still have the count field that you used in the following eval command.

As I said it isn't so clear your need: you spoke of two indexes, but you use only one in search.

Could you better explain your need?

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...