Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

i am reading from log file and have query to return all the host. can we include teh step to categories test/qa/prod in

Jasmine
Path Finder
‎04-10-2024 11:44 AM

i am reading teh host from log file and have query to return all the host. 

 

index=aaa  source="/var/log/test1.log"|stats count by host

 

 can we include teh step to categories test/qa/prod in the drop down list  from the list of host returned in the query itself?(using wildcard if host has t then test /if host has q -qa server, etc?

but for now i am using static options 

test - testhost

qa - qahost

prod - prodhost

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎04-10-2024 05:24 PM

You can use the populating search of the drop down to add dynamic options and do something like this to categorise the host type

index=aaa  source="/var/log/test1.log"
|stats count by host
| eval category=case(match(host, "t"), "Test", 
                     match(host, "q"), "QA", 
                     match(host, "p"), "Prod",
                     true(), "Unknown")

change the match statement regex as needed and the category you want to show.

category will be the <fieldForLabel> and then you need to make the <fieldForValue> to contain the value element you want for the token.

0 Karma
Reply

Jasmine
Path Finder
‎04-12-2024 10:26 AM

in QA and PROd i have 3 servers

test - testhost

qa - qahost1,qahost2,qahost3

prod - prodhost1,prodhost2,prodhost3

and my query would be for qa if i choose qa from dropdownlist

 

index=aaa(source="/var/log/tes1.log" (host=qahost1) OR (host=qahost2,) OR (host=qahost3) )

 

can you please help me integrate above one with below query?

index=aaa source="/var/log/test1.log"
|stats count by host
| eval category=case(match(host, "t"), "Test",
match(host, "q"), "QA",
match(host, "p"), "Prod",
true(), "Unknown")
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎04-15-2024 03:35 PM

Here's a simple example

<form version="1.1">
  <label>HostDropdown</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="hosts" searchWhenChanged="true">
      <label>Host Types</label>
      <choice value="prodhost*">Production</choice>
      <choice value="qahost*">QA</choice>
      <choice value="testhost*">Test</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>
index=aaa source="/var/log/test1.log" host=$hosts$
|stats count by host
          </query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

I suggest you look at this and have a look through the documentation that describes this

https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...