Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help with delimiters/suffix in multiselect

Mrig342
Contributor
‎01-06-2022 11:28 PM

Hi All,

I have a query to get the result of the list of filesystems and their respective disk usage details as below:

File_System  Total in GB   Used in GB   Available in GB   Disk_Usage in %
/var                   10                    9.2                   0.8                           92
/opt                   10                    8.1                   1.9                          81
/logs                 10                    8.7                   1.3                          87
/apps                10                    8.4                   1.6                          84
/pcvs                10                    9.4                    0.6                         94

I need to create a multiselect option with the disk usage values to get the above table for a range of values. For e.g. If I select 80 in the multiselect it will show the table with values of disk usage in the range 76-80, then if I select 80 & 90 in the multiselect it will show the table with values of disk usage in the range 76-80 & 86-90 and so on. I created the multiselect with token as "DU" and created the search query for the table as:

.... | where ((Disk_Usage<=$DU$ AND Disk_Usage>($DU$-5)) OR (Disk_Usage<=$DU$ AND Disk_Usage>($DU$-5)))
| table File_System,Total,Used,Available,Disk_Usage
| rename Total as "Total in GB" Used as "Used in GB" Available as "Available in GB" Disk_Usage as "Disk_Usage in %"

With the above query I am able to get the results when I run a search with two different values (e.g. 100 & 65) for $DU$ in (Disk_Usage<=$DU$ AND Disk_Usage>($DU$-5)). But with this query I am not able to get the table in the dashboard when I am using multiple values. Please help me with the delimiter to be added or help create a query so that upon selecting multiple options in multiselect will give the table for a range of disk usage values.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-06-2022 11:43 PM

Set the value of each of your dropdown choices to be the condition you want and then use the token for the where clause

<choice value="Disk_Usage<=80 AND Disk_usage>75">80</choice>
<choice value="Disk_Usage<=100 AND Disk_usage>95">100</choice>
<prefix>(</prefix>
<valuePrefix>(</valuePrefix>
<valueSuffix>)</valueSuffix>
<delimiter> OR </delimiter>
<suffix>)</suffix>
... | where $DU$

View solution in original post

Reply
Solved! Jump to solution

Mrig342
Contributor
‎01-09-2022 10:54 PM

Thank you ITWhisperer..!!

Keeping the choices static has solved my requirement.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-06-2022 11:43 PM

Set the value of each of your dropdown choices to be the condition you want and then use the token for the where clause

<choice value="Disk_Usage<=80 AND Disk_usage>75">80</choice>
<choice value="Disk_Usage<=100 AND Disk_usage>95">100</choice>
<prefix>(</prefix>
<valuePrefix>(</valuePrefix>
<valueSuffix>)</valueSuffix>
<delimiter> OR </delimiter>
<suffix>)</suffix>
... | where $DU$
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti &#x1f389; —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...