Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set a different prefix for a multiselect input per panel?

cotekyle
Explorer
‎09-28-2015 01:57 PM

I have a multiselect input box for users to select the vpc/host(s) that will drive my panels.

Here is my issue...
Panel A expects a value of host=A OR host=B OR host=C
Panel B expects a value of vpcId=A OR vpcId=B or vpcId=C...
Panel C expects a value of root_event_search.h=A OR root_event_search.h=B or root_event_search.h=C

When defining my multinput I currently have:

<valuePrefix>host=</valuePrefix>
      <delimiter> OR </delimiter>

The values (A,B,C) are the same for every panel. Can I set the valuePrefix to something different within a panel? I.e. Set valuePrefix vpcId= or Set valuePrefix root_event_search.h=

Reply
1 Solution
Solved! Jump to solution
Solution

masonmorales
Influencer
‎09-28-2015 02:20 PM

I'm not sure if that's possible with a single multi-select using Simple XML (if it is, I'm sure someone will chime-in). Why not rename the fields to a common name in each of your panel searches though? That way the prefix will always match...

<valuePrefix>CommonHost=</valuePrefix>

... base search ... | rename host as CommonHost | search $yourtoken$
... base search ... | rename vpcId as CommonHost | search $yourtoken$
Etc.

View solution in original post

Reply
Solved! Jump to solution

afishkin_splunk
Splunk Employee
Splunk Employee
‎09-30-2015 09:28 AM

$submitted:host$

0 Karma
Reply
Solved! Jump to solution

afishkin_splunk
Splunk Employee
Splunk Employee
‎09-29-2015 10:24 AM

It could be
host="
"
OR

0 Karma
Reply
Solved! Jump to solution

cotekyle
Explorer
‎09-30-2015 06:11 AM

Can you elaborate?

| tstats prestats=f dc(root_event_search.h) AS hostcount from datamodel=license_report2 | rename root_event_search.h AS host | search where host=*vpc-11111 OR host=*vpc-222222 OR host=*vpc-333333 OR host=*vpc-444444 OR host=*vpc-555555

If I run the above with my VPCs I get thousands of events matched for 24 hours, but for statistics "No results returned." End goal again is just to get a single value for the number of hosts.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-30-2015 06:58 AM

Your query has to be modified now to include the field that you're filtering on later (root_event_search.h). Try something like this

| tstats prestats=f count from datamodel=license_report2 by root_event_search.h | rename root_event_search.h AS host | search where host=*vpc-11111 OR host=*vpc-222222 OR host=*vpc-333333 OR host=*vpc-444444 OR host=*vpc-555555 | stats count as hostcount
0 Karma
Reply
Solved! Jump to solution
Solution

masonmorales
Influencer
‎09-28-2015 02:20 PM

I'm not sure if that's possible with a single multi-select using Simple XML (if it is, I'm sure someone will chime-in). Why not rename the fields to a common name in each of your panel searches though? That way the prefix will always match...

<valuePrefix>CommonHost=</valuePrefix>

... base search ... | rename host as CommonHost | search $yourtoken$
... base search ... | rename vpcId as CommonHost | search $yourtoken$
Etc.

Reply
Solved! Jump to solution

cotekyle
Explorer
‎09-28-2015 02:56 PM

I run into an issue then when I go to rename root_event_search.h in this panel's search:

| tstats prestats=f dc(root_event_search.h) AS hostcount from datamodel=license_report2 where root_event_search.h=A OR root_event_search.h=B OR root_event_search.h=C

Where can I rename it without messing everything up? tstats has to begin the search.

0 Karma
Reply
Solved! Jump to solution

masonmorales
Influencer
‎09-28-2015 03:12 PM

At the very end.

0 Karma
Reply
Solved! Jump to solution

masonmorales
Influencer
‎09-28-2015 03:12 PM 
 | tstats prestats=f dc(root_event_search.h) AS hostcount from datamodel=license_report2 where root_event_search.h=A OR root_event_search.h=B OR root_event_search.h=C | rename root_event_search.h as CommonHost | search $yourtoken$
0 Karma
Reply
Solved! Jump to solution

cotekyle
Explorer
‎09-29-2015 06:12 AM

The issue with that code is that you've already searched for the token at the where clause. Otherwise there would be no value for A,B,C.

| tstats prestats=f dc(root_event_search.h) AS hostcount from datamodel=license_report2 where $CommonHost$| rename root_event_search.h as CommonHost

i.e. $CommonHost$ = CommonHost=vpc-1234 OR CommonHost=vpc-92820 OR CommonHost=23456

0 Karma
Reply
Solved! Jump to solution

masonmorales
Influencer
‎09-29-2015 07:00 AM 
| tstats prestats=f dc(root_event_search.h) AS hostcount from datamodel=license_report2 | rename root_event_search.h as CommonHost | search $yourtoken$

You could also do where $yourtoken$ at the end.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...