Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to feed selected same dropdown value in two different fields in Splunk query

asingh4177
Engager
‎03-09-2022 11:24 AM

This is my splunk query to find out the percentage usage of devices under testing in our lab within a specific time range. I'm able to get the output as expected but getting issue in using the selected same dropdown value in dashboard to feed it to two different fields which I'm using in search query from two different indexes.

Resources{}.ReservationGroups and reservation_group are two different fields from two different indexes but both of them collect same values and I'm trying to feed this specific value from dropdown i.e "iOS1" to both the fields in order to get result for device utilization for particular reservation group. similarly If someone select any other value from dropdown it should be able to be feed into these 2 fields and provide the result accordingly.

 

index=X Resources{}.Agent.AgentName=agent* Resources{}.ReservationGroups=iOS1 | dedup device_symbolicname | table device_symbolicname, Resources{}.ReservationGroups | stats count by Resources{}.ReservationGroups | sort Resources{}.ReservationGroups | appendcols
[search index=Y scheduler_url="*sched*" is_agent=false reservation_group=iOS1 
| rename location as DUT, reservation_group as ReservationGroup
| dedup DUT
| stats count by ReservationGroup | rename count as pp_count | sort ReservationGroup] | eval pct_usage=count/pp_count*100

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-09-2022 11:32 PM

Hi @asingh4177,

it isn't so fully clear your need and especially your need, but anuway I can give you some hint about your search:

at first fields like "Resources{}.Agent.AgentName" sometimes (espcially in eval commands) have problems, so, after the main search I hint to rename it in something without dots.

then if you have a a field in each index with the same content you could use eval=coalesce() to have only one field to use in grouping stats command, e.g. 

| rename Resources{}.ReservationGroups AS ReservationGroups
| eval reservation_group=coalesce(ReservationGroups, reservation_group)

at least, after a stats command you have only the fields contained in the stats, in your case you have only count and ReservationGroup, but, if you rename count AS pp_count , you don't still have the count field that you used in the following eval command.

As I said it isn't so clear your need: you spoke of two indexes, but you use only one in search.

Could you better explain your need?

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...