Dashboards & Visualizations

How to pass multiple variables in a token to run search for each variable?

gerald_contrera
Path Finder

Hi all,

I have a dashboard that uses multiselect to get multiple variables.
I am using the "IN" command to search both varbiables but i dont know how to make the search perform for each variable and join the results?

Example:

eventtype="perfmon_windows" object IN ("MSExchange Replication " "MSExchange ADAccess Processes") 
| stats sparkline(avg(Value)) as Trend avg(Value) as Average, max(Value) as Peak, latest(Value) as Current, latest(_time) as "Last Updated" by object 

I need the stats search to run for each variable in the field "object" ( in this case the variables are "MSExchange Replication " and "MSExchange ADAccess Processes").

Im not sure if that makes sense, in other languages it would be using a foreach command but i dont think it works the same in Splunk.

Any direction would be much appreciated.

Thanks in advance

0 Karma
1 Solution

niketn
Legend

@gerald_contreras if you can add the current code that you have for multiselect, that would be great for us to assist you better.

Is something like the following that you are looking for?

<form>
  <label>Multiselect IN</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="tokObject" searchWhenChanged="true">
      <label>Select Object</label>
      <choice value="MSExchange Replication">MSExchange Replication</choice>
      <choice value="MSExchange ADAccess Processes">MSExchange ADAccess Processes</choice>
      <prefix>IN (</prefix>
      <suffix>)</suffix>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
    </input>
  </fieldset>
  <!-- HTML Panel to display Selected Tokens -->
  <row>
    <panel>
      <html>
        <div>tokObject: $tokObject$</div>
      </html>
    </panel>
  </row>
</form>

PS: Following are the settings for multi-select so that if one or more options are selected the token looks like the following IN ("MSExchange Replication","MSExchange ADAccess Processes"):

   <prefix>IN (</prefix>
   <suffix>)</suffix>
   <valuePrefix>"</valuePrefix>
   <valueSuffix>"</valueSuffix>
   <delimiter>,</delimiter>

You can either try the run anywhere example above with static option or else change the multi-select configuration using Simple XML options mentioned above.

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@gerald_contreras if you can add the current code that you have for multiselect, that would be great for us to assist you better.

Is something like the following that you are looking for?

<form>
  <label>Multiselect IN</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="tokObject" searchWhenChanged="true">
      <label>Select Object</label>
      <choice value="MSExchange Replication">MSExchange Replication</choice>
      <choice value="MSExchange ADAccess Processes">MSExchange ADAccess Processes</choice>
      <prefix>IN (</prefix>
      <suffix>)</suffix>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>,</delimiter>
    </input>
  </fieldset>
  <!-- HTML Panel to display Selected Tokens -->
  <row>
    <panel>
      <html>
        <div>tokObject: $tokObject$</div>
      </html>
    </panel>
  </row>
</form>

PS: Following are the settings for multi-select so that if one or more options are selected the token looks like the following IN ("MSExchange Replication","MSExchange ADAccess Processes"):

   <prefix>IN (</prefix>
   <suffix>)</suffix>
   <valuePrefix>"</valuePrefix>
   <valueSuffix>"</valueSuffix>
   <delimiter>,</delimiter>

You can either try the run anywhere example above with static option or else change the multi-select configuration using Simple XML options mentioned above.

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

gerald_contrera
Path Finder

Thanks niketnilay,

So currently it will give the results from the last item selected from the multiselect, where as i need it to run the stats for each of the selected variables from the object field multiselect.

Token: selectobject

Dynamic Options. Uses lookup to get list of object variables
| inputlookup perfmon_used_counters.csv | search object=* | dedup object | table object | sort object

Token prefix and suffix is: "
- because the object variable can have a space in between (EG- MSExchange ADAccess Processes)

Delimiter is " "
- to be able to separate the variables when using the IN command
- - EG ("MSExchange Replication " "MSExchange ADAccess Processes")

Original Search in dashboard panel:

eventtype="perfmon_windows" object IN ($selectobject$)

| stats sparkline(avg(Value)) as Trend avg(Value) as Average, max(Value) as Peak, latest(Value) as Current, latest(_time) as "Last Updated" by object
| convert ctime("Last Updated")
| sort - Current
| eval Average=round(Average, 2)
| eval Peak=round(Peak, 2)
| eval Current=round(Current, 2)

Basically i need the stats search to run for each of the variables in $selectobject$

niketn
Legend

@gerald_contreras FYI, you can up-vote the answer/comment by using up arrow icon that appears next to answers and on hovering over comment towards right top of the comment.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

gerald_contrera
Path Finder

Yes thank you, i up-voted and awarded a point

0 Karma

gerald_contrera
Path Finder

Yes that has done the trick, after i amended my panel search to just object $tokobject$

Changed
eventtype="perfmon_windows" object IN ($selectobject$)
to
eventtype="perfmon_windows" object $selectobject$

Thank you very much. Spot on!

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...