Dashboards & Visualizations

Need help with delimiters/suffix in multiselect

Mrig342
Contributor

Hi All,

I have a query to get the result of the list of filesystems and their respective disk usage details as below:

File_System  Total in GB   Used in GB   Available in GB   Disk_Usage in %
/var                   10                    9.2                   0.8                           92
/opt                   10                    8.1                   1.9                          81
/logs                 10                    8.7                   1.3                          87
/apps                10                    8.4                   1.6                          84
/pcvs                10                    9.4                    0.6                         94

I need to create a multiselect option with the disk usage values to get the above table for a range of values. For e.g. If I select 80 in the multiselect it will show the table with values of disk usage in the range 76-80, then if I select 80 & 90 in the multiselect it will show the table with values of disk usage in the range 76-80 & 86-90 and so on. I created the multiselect with token as "DU" and created the search query for the table as:

.... | where ((Disk_Usage<=$DU$ AND Disk_Usage>($DU$-5)) OR (Disk_Usage<=$DU$ AND Disk_Usage>($DU$-5)))
| table File_System,Total,Used,Available,Disk_Usage
| rename Total as "Total in GB" Used as "Used in GB" Available as "Available in GB" Disk_Usage as "Disk_Usage in %"

With the above query I am able to get the results when I run a search with two different values (e.g. 100 & 65) for $DU$ in (Disk_Usage<=$DU$ AND Disk_Usage>($DU$-5)). But with this query I am not able to get the table in the dashboard when I am using multiple values. Please help me with the delimiter to be added or help create a query so that upon selecting multiple options in multiselect will give the table for a range of disk usage values.

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Set the value of each of your dropdown choices to be the condition you want and then use the token for the where clause

<choice value="Disk_Usage<=80 AND Disk_usage>75">80</choice>
<choice value="Disk_Usage<=100 AND Disk_usage>95">100</choice>
<prefix>(</prefix>
<valuePrefix>(</valuePrefix>
<valueSuffix>)</valueSuffix>
<delimiter> OR </delimiter>
<suffix>)</suffix>
... | where $DU$

View solution in original post

Mrig342
Contributor

Thank you ITWhisperer..!!

Keeping the choices static has solved my requirement.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Set the value of each of your dropdown choices to be the condition you want and then use the token for the where clause

<choice value="Disk_Usage<=80 AND Disk_usage>75">80</choice>
<choice value="Disk_Usage<=100 AND Disk_usage>95">100</choice>
<prefix>(</prefix>
<valuePrefix>(</valuePrefix>
<valueSuffix>)</valueSuffix>
<delimiter> OR </delimiter>
<suffix>)</suffix>
... | where $DU$
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...