Dashboards & Visualizations

How to feed selected same dropdown value in two different fields in Splunk query

asingh4177
Engager

This is my splunk query to find out the percentage usage of devices under testing in our lab within a specific time range. I'm able to get the output as expected but getting issue in using the selected same dropdown value in dashboard to feed it to two different fields which I'm using in search query from two different indexes.

Resources{}.ReservationGroups and reservation_group are two different fields from two different indexes but both of them collect same values and I'm trying to feed this specific value from dropdown i.e "iOS1" to both the fields in order to get result for device utilization for particular reservation group. similarly If someone select any other value from dropdown it should be able to be feed into these 2 fields and provide the result accordingly.

 

index=X Resources{}.Agent.AgentName=agent* Resources{}.ReservationGroups=iOS1 | dedup device_symbolicname | table device_symbolicname, Resources{}.ReservationGroups | stats count by Resources{}.ReservationGroups | sort Resources{}.ReservationGroups | appendcols
[search index=Y scheduler_url="*sched*" is_agent=false reservation_group=iOS1 
| rename location as DUT, reservation_group as ReservationGroup
| dedup DUT
| stats count by ReservationGroup | rename count as pp_count | sort ReservationGroup] | eval pct_usage=count/pp_count*100

 

Labels (1)
Tags (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @asingh4177,

it isn't so fully clear your need and especially your need, but anuway I can give you some hint about your search:

at first fields like "Resources{}.Agent.AgentName" sometimes (espcially in eval commands) have problems, so, after the main search I hint to rename it in something without dots.

then if you have a a field in each index with the same content you could use eval=coalesce() to have only one field to use in grouping stats command, e.g. 

| rename Resources{}.ReservationGroups AS ReservationGroups
| eval reservation_group=coalesce(ReservationGroups, reservation_group)

at least, after a stats command you have only the fields contained in the stats, in your case you have only count and ReservationGroup, but, if you rename count AS pp_count , you don't still have the count field that you used in the following eval command.

As I said it isn't so clear your need: you spoke of two indexes, but you use only one in search.

Could you better explain your need?

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...