Dashboards & Visualizations

How to feed selected same dropdown value in two different fields in Splunk query


This is my splunk query to find out the percentage usage of devices under testing in our lab within a specific time range. I'm able to get the output as expected but getting issue in using the selected same dropdown value in dashboard to feed it to two different fields which I'm using in search query from two different indexes.

Resources{}.ReservationGroups and reservation_group are two different fields from two different indexes but both of them collect same values and I'm trying to feed this specific value from dropdown i.e "iOS1" to both the fields in order to get result for device utilization for particular reservation group. similarly If someone select any other value from dropdown it should be able to be feed into these 2 fields and provide the result accordingly.


index=X Resources{}.Agent.AgentName=agent* Resources{}.ReservationGroups=iOS1 | dedup device_symbolicname | table device_symbolicname, Resources{}.ReservationGroups | stats count by Resources{}.ReservationGroups | sort Resources{}.ReservationGroups | appendcols
[search index=Y scheduler_url="*sched*" is_agent=false reservation_group=iOS1 
| rename location as DUT, reservation_group as ReservationGroup
| dedup DUT
| stats count by ReservationGroup | rename count as pp_count | sort ReservationGroup] | eval pct_usage=count/pp_count*100


Labels (1)
Tags (2)
0 Karma


Hi @asingh4177,

it isn't so fully clear your need and especially your need, but anuway I can give you some hint about your search:

at first fields like "Resources{}.Agent.AgentName" sometimes (espcially in eval commands) have problems, so, after the main search I hint to rename it in something without dots.

then if you have a a field in each index with the same content you could use eval=coalesce() to have only one field to use in grouping stats command, e.g. 

| rename Resources{}.ReservationGroups AS ReservationGroups
| eval reservation_group=coalesce(ReservationGroups, reservation_group)

at least, after a stats command you have only the fields contained in the stats, in your case you have only count and ReservationGroup, but, if you rename count AS pp_count , you don't still have the count field that you used in the following eval command.

As I said it isn't so clear your need: you spoke of two indexes, but you use only one in search.

Could you better explain your need?



0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...