Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What command can be used to index a field for all panels of a dashboard?

ecterion06
Engager
‎01-29-2020 07:07 PM

Dear all,

I am pretty new to Splunk as I am using it seriously for only 3 days. I have a question regarding an operation that I would like to do and which seems to be a "temporary indexation" of a field in a dashboard.
I have a dashboard with multiple panels. Four of these panels are using a field that is computed through the following rex commands: 

… | rex field=url "(http(s)?://)?(?<test>.[.0-9a-zA-Z-:]*)" 
  | rex field=test "(?<domain_name>([0-9a-zA-Z-:]*[.]?){2}[0-9a-zA-Z-:]*)$"

My four panels are all re-using these two commands before doing some transformation on the result.

My problem/question is simple: I would like to execute these two commands once, temporarily index the new field (domain_name) and then use it across panels in my dashboard.

I have tried to compute the field once supposing that the dashboard's panels were sharing the same execution environment. However, it seems that search queries done in a panel are independent of the search queries done in any other panel of the same dashboard. I also thought about passing the resulting events (i.e., with the additional test and domain_name fields) in a token and uses that token in the panels needing it. That solution does not seem to work and does not seem robust too.

If anyone has an elegant solution or a pointer to the appropriate command(s) in the Splunk documentation, it would be of great help. Thanks a lot!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-29-2020 10:49 PM

Hi @ecterion06,
the easyest way is to permanently extract these fields, as @to4kawa said, using the Field extractor or creating a new field [Settings -- Fields -- New] using your regexes.

If instead you need of these fields only in one dashboard, you can use the Post process Search, creating a base search with your search and the field extraction and then use it for your panels; you can find infos at https://docs.splunk.com/Documentation/Splunk/8.0.1/Viz/Savedsearches#Post-process_searches_2 or (better) installing the Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ) where it's how to.

Ciao.
Giuseppe

Reply

to4kawa
Ultra Champion
‎01-29-2020 10:06 PM

Extract fields interactively with IFX
fundamentals-1

please check there and try.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...