- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Splunk Dashboard
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Everyone,
I am working on a dashboard with 2 event panel . and i would like to use the outcome of panel 1 as an input to my panel 2 . Can you please advise what is the optimal way to take a specific field output and utilise as an input in the next panel . I tried base search but did not provide result as expected.
Panel 1 :
<query>index=xyz sourcetype=vpn *session*
| fields session, connection_name, DNS, ip_subnet, Location,user
| stats values(connection_name) as connection, values(Dns) as DNS, by session
| join type=inner session
[ search index=abc sourcetype=vpn *Dynamic*
| fields assigned_ip,session | stats values(assigned_ip) as IP by session]
| table User,session,connection_name,ip_subnet,IP,DNS,Location |where user="$field1$" OR connection_name="$field2$" OR session="$field3$"</query>
Once the output is generated for the above query , i would like to leverage the value displayed for Ip_subnet and use that as input for panel 2
Panel 2:
<query>|inputlookup letest.csv
|rename "IP address details" as IP
| xyseries Ip_subnet,Location,IP | where Ip_subnet="$Ip_subnet$"</query>
In panel 2 $Ip_subnet$ is input that would be taken from value of Ip_subnet of panel 1.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Richgalloway,
Thank you for taking time and responding to my query . Instead of using the set token i went ahead with storing the value in another field ( as a dropdown) and selected from there and that became the input for the next panel.
Regards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use a done element to set a token for the 2nd query to use.
...</query>
<done>
<set token=ip_subnet>$result.ip_subnet$</set>
</done>Remember that field and token names are case-sensitive.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Richgalloway,
Thank you for taking time and responding to my query . Instead of using the set token i went ahead with storing the value in another field ( as a dropdown) and selected from there and that became the input for the next panel.
Regards.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
