Dashboards & Visualizations

How to set a different prefix for a multiselect input per panel?

cotekyle
Explorer

I have a multiselect input box for users to select the vpc/host(s) that will drive my panels.

Here is my issue...
Panel A expects a value of host=A OR host=B OR host=C
Panel B expects a value of vpcId=A OR vpcId=B or vpcId=C...
Panel C expects a value of root_event_search.h=A OR root_event_search.h=B or root_event_search.h=C

When defining my multinput I currently have:

<valuePrefix>host=</valuePrefix>
      <delimiter> OR </delimiter>

The values (A,B,C) are the same for every panel. Can I set the valuePrefix to something different within a panel? I.e. Set valuePrefix vpcId= or Set valuePrefix root_event_search.h=

1 Solution

masonmorales
Influencer

I'm not sure if that's possible with a single multi-select using Simple XML (if it is, I'm sure someone will chime-in). Why not rename the fields to a common name in each of your panel searches though? That way the prefix will always match...

<valuePrefix>CommonHost=</valuePrefix>

... base search ... | rename host as CommonHost | search $yourtoken$
... base search ... | rename vpcId as CommonHost | search $yourtoken$
Etc.

View solution in original post

afishkin_splunk
Splunk Employee
Splunk Employee

$submitted:host$

0 Karma

afishkin_splunk
Splunk Employee
Splunk Employee

It could be
host="
"
OR

0 Karma

cotekyle
Explorer

Can you elaborate?

| tstats prestats=f dc(root_event_search.h) AS hostcount from datamodel=license_report2 | rename root_event_search.h AS host | search where host=*vpc-11111 OR host=*vpc-222222 OR host=*vpc-333333 OR host=*vpc-444444 OR host=*vpc-555555

If I run the above with my VPCs I get thousands of events matched for 24 hours, but for statistics "No results returned." End goal again is just to get a single value for the number of hosts.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Your query has to be modified now to include the field that you're filtering on later (root_event_search.h). Try something like this

| tstats prestats=f count from datamodel=license_report2 by root_event_search.h | rename root_event_search.h AS host | search where host=*vpc-11111 OR host=*vpc-222222 OR host=*vpc-333333 OR host=*vpc-444444 OR host=*vpc-555555 | stats count as hostcount
0 Karma

masonmorales
Influencer

I'm not sure if that's possible with a single multi-select using Simple XML (if it is, I'm sure someone will chime-in). Why not rename the fields to a common name in each of your panel searches though? That way the prefix will always match...

<valuePrefix>CommonHost=</valuePrefix>

... base search ... | rename host as CommonHost | search $yourtoken$
... base search ... | rename vpcId as CommonHost | search $yourtoken$
Etc.

cotekyle
Explorer

I run into an issue then when I go to rename root_event_search.h in this panel's search:

| tstats prestats=f dc(root_event_search.h) AS hostcount from datamodel=license_report2 where root_event_search.h=A OR root_event_search.h=B OR root_event_search.h=C

Where can I rename it without messing everything up? tstats has to begin the search.

0 Karma

masonmorales
Influencer

At the very end.

0 Karma

masonmorales
Influencer
 | tstats prestats=f dc(root_event_search.h) AS hostcount from datamodel=license_report2 where root_event_search.h=A OR root_event_search.h=B OR root_event_search.h=C | rename root_event_search.h as CommonHost | search $yourtoken$
0 Karma

cotekyle
Explorer

The issue with that code is that you've already searched for the token at the where clause. Otherwise there would be no value for A,B,C.

| tstats prestats=f dc(root_event_search.h) AS hostcount from datamodel=license_report2 where $CommonHost$| rename root_event_search.h as CommonHost 

i.e. $CommonHost$ = CommonHost=vpc-1234 OR CommonHost=vpc-92820 OR CommonHost=23456

0 Karma

masonmorales
Influencer
| tstats prestats=f dc(root_event_search.h) AS hostcount from datamodel=license_report2 | rename root_event_search.h as CommonHost | search $yourtoken$

You could also do where $yourtoken$ at the end.

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...