Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help with delimiters/suffix in multiselect

Mrig342
Contributor
‎01-06-2022 11:28 PM

Hi All,

I have a query to get the result of the list of filesystems and their respective disk usage details as below:

File_System  Total in GB   Used in GB   Available in GB   Disk_Usage in %
/var                   10                    9.2                   0.8                           92
/opt                   10                    8.1                   1.9                          81
/logs                 10                    8.7                   1.3                          87
/apps                10                    8.4                   1.6                          84
/pcvs                10                    9.4                    0.6                         94

I need to create a multiselect option with the disk usage values to get the above table for a range of values. For e.g. If I select 80 in the multiselect it will show the table with values of disk usage in the range 76-80, then if I select 80 & 90 in the multiselect it will show the table with values of disk usage in the range 76-80 & 86-90 and so on. I created the multiselect with token as "DU" and created the search query for the table as:

.... | where ((Disk_Usage<=$DU$ AND Disk_Usage>($DU$-5)) OR (Disk_Usage<=$DU$ AND Disk_Usage>($DU$-5)))
| table File_System,Total,Used,Available,Disk_Usage
| rename Total as "Total in GB" Used as "Used in GB" Available as "Available in GB" Disk_Usage as "Disk_Usage in %"

With the above query I am able to get the results when I run a search with two different values (e.g. 100 & 65) for $DU$ in (Disk_Usage<=$DU$ AND Disk_Usage>($DU$-5)). But with this query I am not able to get the table in the dashboard when I am using multiple values. Please help me with the delimiter to be added or help create a query so that upon selecting multiple options in multiselect will give the table for a range of disk usage values.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-06-2022 11:43 PM

Set the value of each of your dropdown choices to be the condition you want and then use the token for the where clause

<choice value="Disk_Usage<=80 AND Disk_usage>75">80</choice>
<choice value="Disk_Usage<=100 AND Disk_usage>95">100</choice>
<prefix>(</prefix>
<valuePrefix>(</valuePrefix>
<valueSuffix>)</valueSuffix>
<delimiter> OR </delimiter>
<suffix>)</suffix>
... | where $DU$

View solution in original post

Reply
Solved! Jump to solution

Mrig342
Contributor
‎01-09-2022 10:54 PM

Thank you ITWhisperer..!!

Keeping the choices static has solved my requirement.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-06-2022 11:43 PM

Set the value of each of your dropdown choices to be the condition you want and then use the token for the where clause

<choice value="Disk_Usage<=80 AND Disk_usage>75">80</choice>
<choice value="Disk_Usage<=100 AND Disk_usage>95">100</choice>
<prefix>(</prefix>
<valuePrefix>(</valuePrefix>
<valueSuffix>)</valueSuffix>
<delimiter> OR </delimiter>
<suffix>)</suffix>
... | where $DU$
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...