Dashboards & Visualizations

How to use multiple tokens in the same search?

pierra56
Explorer

Hi,

I would like to automate the search results Next the sourcetype but also according to the source IP address.
The code:

<form>





All


<![CDATA[|metadata type=sourcetypes index= | stats count by sourcetype]]>






Top 5 source
index=* sourcetype="$sourcetype$" src="$src$"| stats sum(sent) as send sum(rcvd) as receive by dst | sort - send,receive | head 10



Have you any idea?

1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try this

<form>
  <label>Dynamic Source</label>
  <fieldset autoRun="true">
    <input type="dropdown" token="sourcetype" searchWhenChanged="false">
      <label>Sourcetype</label>
      <choice value="*">All</choice>
      <default>*</default>
      <populatingSearch fieldForValue="sourcetype" fieldForLabel="sourcetype">
        <![CDATA[|metadata type=sourcetypes index=* | stats count by sourcetype]]>
      </populatingSearch>
    </input>
    <input type="text" token="ipAddress">
      <label>IP Address(format XXX.XXX.XXX.XXX)</label> 
      <default /> 
  </input>
  </fieldset>
  <row>
    <panel>
      <table>
      <title>Top 5 source</title>
      <searchString>index=* sourcetype="$sourcetype$" src="$ipAddress$"| stats sum(sent) as send sum(rcvd) as receive by dst | sort - send,receive | head 10 </searchString>
      </table>  
    </panel>
    </row>
</form>

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try this

<form>
  <label>Dynamic Source</label>
  <fieldset autoRun="true">
    <input type="dropdown" token="sourcetype" searchWhenChanged="false">
      <label>Sourcetype</label>
      <choice value="*">All</choice>
      <default>*</default>
      <populatingSearch fieldForValue="sourcetype" fieldForLabel="sourcetype">
        <![CDATA[|metadata type=sourcetypes index=* | stats count by sourcetype]]>
      </populatingSearch>
    </input>
    <input type="text" token="ipAddress">
      <label>IP Address(format XXX.XXX.XXX.XXX)</label> 
      <default /> 
  </input>
  </fieldset>
  <row>
    <panel>
      <table>
      <title>Top 5 source</title>
      <searchString>index=* sourcetype="$sourcetype$" src="$ipAddress$"| stats sum(sent) as send sum(rcvd) as receive by dst | sort - send,receive | head 10 </searchString>
      </table>  
    </panel>
    </row>
</form>

pierra56
Explorer

Again thanks.

0 Karma

pierra56
Explorer

yes, it's true a textbox would be more practical.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You want a dropdown for source IPs or a textbox (manual input)?

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...