Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to pass multiple values for a field through token in a dashboard?

Soundaryakunder
Loves-to-Learn Lots
‎07-01-2022 12:52 AM

Dashboard is taking a long time to load and it has 17 apps in one panel. I have also tried creating a token such as <set token="app_names">app1,app2</set> instead of using wildcard.  but query is not returning any result.

Code snippet

 

 <init>
    <set token="app_names">app1,app2,app3................</set>
 </init>
 ......
  <row>
    <panel>
      <title>Dashboard</title>
      <table>
         <search>
          <query>index=idx ns=xyz* app_name=$app_names$ pod_container=xyz* ((" ERROR " OR " WARN ")
		  |stats count by app_name
          | append
    [| stats count
    | eval app_name="app1,app2,app3........"
    | table app_name
    | makemv app_name delim=","
    | mvexpand app_name]
	.......

 

 

Please advise!

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-01-2022 01:07 AM

Would something like this help?

index=idx ns=xyz* app_name IN ($app_names$) ...
0 Karma
Reply

Soundaryakunder
Loves-to-Learn Lots
‎07-01-2022 01:35 AM

Your solution really helped. Thank you very much

0 Karma
Reply

Soundaryakunder
Loves-to-Learn Lots
‎07-04-2022 03:38 AM

 I have created a dashboard with 3 panels and it has 17 apps.

 

Please help me on this.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-04-2022 03:43 AM

It depends on what you are trying to display in your dashboard - if you have 17 searches to do, this will take some time - there are various optimisations available but it depends on your use case - things to consider are summary indexes, saved reports, splitting across multiple dashboards, hiding panels until data is available, etc.

0 Karma
Reply

Soundaryakunder
Loves-to-Learn Lots
‎07-04-2022 03:53 AM

Okay. Thanks

0 Karma
Reply

Soundaryakunder
Loves-to-Learn Lots
‎07-04-2022 09:27 PM

I need one more help..

I have already specified the multiple values(app1,app2,app3.....)in the token. So I have tried to remove the eval(eval app_name="app1,app2,app3........") command from the Query. but it is returning wrong results. Is this eval command is required?

Please suggest me on this.

 <init>
    <set token="app_names">app1,app2,app3................</set>
 </init>
 ......
  <row>
    <panel>
      <title>Dashboard</title>
      <table>
         <search>
          <query>index=idx ns=xyz* app_name IN ($app_names$) pod_container=xyz* ((" ERROR " OR " WARN ")
		  |stats count by app_name
          | append
    [| stats count
    | eval app_name="app1,app2,app3........"
    | table app_name
    | makemv app_name delim=","
    | mvexpand app_name]
	.......

 Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...