Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Multiselect token not interacting with Chart

MrJohn230
Path Finder
‎10-24-2023 11:50 AM

I have a multiselect that does not interact with my Trellis chart.

I would say; it's not defined in my base search but not sure how to identify the issue and how to fix?

BASE Search:

| eval Pat=spath(json, "Info.Pat.Time")
| eval Con=spath(json, "Info.Con.Time")
| eval Cov=spath(json, "Info.Cov.Time")
| eval Category = RED
| table _time, Pat, Con, Cov, Category

 Mulit-Select:

| eval SysTime = Category + ":" + _time
| fields - Category
| untable SysTime Reason CurationValue
| eval Category = mvindex(split(SysTime, ":"), 0)
| eval _time = mvindex(split(SysTime, ":"), 1)
| fields - SysTime
| table Reason
| dedup Reason

Chart:

| search Category $t_category$ Reason $t_reason$
| timechart span=1h avg(Pat) as Pat, avg(Con) as Con, avg(Cov) as Cov

 

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-25-2023 04:26 AM

What's the definition of your multiselect input - you've only listed the search.

You are using Reason $t_reason$ in your search - but in your chart search, which if it's coming from base search, there is no reason field, so you cannot filter by reason

Is t_category token coming from another input?

If you are using a syntax 

Reason $t_reason$

and your input is a multiselect, then it looks odd that you have "Reason" in the search - is that just searching the raw text for Reason or is that somehow part of a field called Reason?

0 Karma
Reply

MrJohn230
Path Finder
‎10-25-2023 04:58 AM

 I have my base search and Pat, Con and Cov are individual columns. I want those to be the values for my multi-value select. So in my mulit-value select I un-table those columns into rows with the column being Reason. 

 

| table _time, Pat, Con, Cov, Category

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-25-2023 05:22 AM

All your multi-select search is doing (assuming it is based on your base search) is giving you the names of the fields you have described in your base search (Pat, Con and Cov), so why not just hard code them in your multi-select?

If you want to continue using the base search, your multi-select search could be simplified to

| fields - Category
| untable _time Reason CurationValue
| table Reason
| dedup Reason

Having said that, it is still not clear what is not working for you. Do you need something like this?

| search Reason IN ($t_reason$)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...