Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Summary Index token drop down help

harkirat9712
Explorer
‎12-20-2019 01:36 AM

Hi Team,

My current configs has drop down with one token , 3 choice value and 1 search query below.

$api_cached_realtime_token$ is replaced by choice value as per 3 dropdown(All, RealTime, Cached )
Below is original code:

  <input type="dropdown" token="api_cached_realtime_token" searchWhenChanged="true">
    <label>Type</label>
    <choice value="apiActualTimeTaken">All</choice>
    <choice value="realTime_timeTaken">RealTime</choice>
    <choice value="cached_timeTaken">Cached</choice>
    <default>apiActualTimeTaken</default>
    <initialValue>apiActualTimeTaken</initialValue>
  </input>
  <chart>
    <search>
      <query>index=mysupport_core sourcetype=mysupport_app_log event=ApiSummaryEvent api=LinkingToolController.linkProduct  apiStatus=* | timechart span=1h avg($api_cached_realtime_token$) as AVG, P95($api_cached_realtime_token$) as P95</query>
      <earliest>$time_token.earliest$</earliest>
      <latest>$time_token.latest$</latest>
    </search>
    <option name="charting.chart">line</option>
    <option name="charting.drilldown">none</option>
    <option name="refresh.display">progressbar</option>
  </chart>
</panel>

Now I am moving into summary index.

summary_index is = my_summary_index I am writing all the above into summary index by using search query below.

index=mysupport_core sourcetype=mysupport_app_log event=ApiSummaryEvent api=LinkingToolController.linkProduct apiStatus=* | stats avg(apiActualTimeTaken) as AVG_Actual avg(realTime_timeTaken) as AVG_real avg(cached_timeTaken) as AVG_cached P95(apiActualTimeTaken) as P95_Actual P95(realTime_timeTaken) as P95_real P95(cached_timeTaken) as P95_cached

Pls help me achieve same with 3 dropdown (All, RealTime, Cached ) that output search for respective drop-down. (one-token-multiple value-perhaps)
index=my_summary_index | stats sum(AVG_Actual or AVG_real or AVG_cached ) as AVG sum(P95_Actual or P95_real or P95_cached) as per dropdown(All, RealTime, Cached ) respectively.

I tried This article helped a bit but could not achieve yet.

https://answers.splunk.com/answers/525245/how-to-pass-multiple-values-for-a-field-through-to-1.html

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎12-21-2019 07:03 PM 
<form>
  <fieldset submitButton="false">
    <input type="dropdown" token="api_cached_realtime_token" searchWhenChanged="true">
      <label>Type</label>
      <change>
        <eval token="api_test1">mvindex(split($api_cached_realtime_token$,","),0)</eval>
        <eval token="api_test2">mvindex(split($api_cached_realtime_token$,","),1)</eval>
      </change>
      <fieldForLabel>column</fieldForLabel>
      <fieldForValue>value</fieldForValue>
      <search>
        <query>| makeresults
| eval _raw="All,RealTime,Cached
AVG_Actual,AVG_real,AVG_cached
P95_Actual,P95_real,P95_cached"
| multikv forceheader=1
| table All RealTime Cached
| transpose
| eval value=mvzip('row 1','row 2')
| table column value</query>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <h1>1: $api_cached_realtime_token$<br/>2: $api_test1$<br/>3: $api_test2$</h1>
      </html>
    </panel>
  </row>

Hi, @harkirat9712
I made the token appropriately, so if you can fix it.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎12-21-2019 07:03 PM 
<form>
  <fieldset submitButton="false">
    <input type="dropdown" token="api_cached_realtime_token" searchWhenChanged="true">
      <label>Type</label>
      <change>
        <eval token="api_test1">mvindex(split($api_cached_realtime_token$,","),0)</eval>
        <eval token="api_test2">mvindex(split($api_cached_realtime_token$,","),1)</eval>
      </change>
      <fieldForLabel>column</fieldForLabel>
      <fieldForValue>value</fieldForValue>
      <search>
        <query>| makeresults
| eval _raw="All,RealTime,Cached
AVG_Actual,AVG_real,AVG_cached
P95_Actual,P95_real,P95_cached"
| multikv forceheader=1
| table All RealTime Cached
| transpose
| eval value=mvzip('row 1','row 2')
| table column value</query>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        <h1>1: $api_cached_realtime_token$<br/>2: $api_test1$<br/>3: $api_test2$</h1>
      </html>
    </panel>
  </row>

Hi, @harkirat9712
I made the token appropriately, so if you can fix it.

0 Karma
Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...