Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

lable and value in dropdownlist for dynamic load

Jasmine
Path Finder
‎04-12-2024 11:56 PM

 

 <input type="dropdown" token="envtoken">
      <label>env</label>
      <fieldForLabel>label</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search> <query>
index=aaa (source="/var/log/testd.log")
|stats count by host 
| eval label=case(match(host, ".*tv*."), "Test", 
                     match(host, ".*qv*."), "QA",
                     match(host, ".*pv*."), "Prod")| dedup label</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
    </input>

 

dropdownlist binding with TEST, QA and PROD

In QA and prod have 3 host. If i select QA from dropdown list , will the search includes from all the three hosts? could you plase confirm

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-13-2024 12:32 AM

@Jasmine - Use like instead of match function.

| eval label=case(like(host, "%tv00.test.net"), "Test", 
                     like(host, "%qv00.qa.net"), "QA",
                     like(host, "%pv00.prod.net"), "Prod")

 

I hope this helps!!!

0 Karma
Reply

Jasmine
Path Finder
‎04-13-2024 12:59 AM

i have replaced with like.. but it search from one host only. as i mentioned in QA i have 3 hosts and Prod i have 3 hosts. i have used dedup label to avoid duplicate in drop down list . but search result containes only from one host. not from all the 3 hosts if i select QA or PROD. please advise.

 

 <input type="dropdown" token="envtoken">
      <label>env</label>
     <fieldForLabel>label</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <prefix>(host=</prefix>
      <suffix>)</suffix>
      <search> <query>
index=aaa (source="/var/log/testd.log")
|stats count by host 
| eval label=case(like(host, "%tv00.test"), "Test", 
                     like(host, "%qv00.qa"), "QA",
                     like(host, "%pv00.prod"), "Prod")| dedup label</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
    </input>

 

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-15-2024 04:09 AM

That's correct because label has to be unique, in this case it will not generate unique label.

I would suggest set the label as well with host field, because host name already tells you whether its QA or Prod or Dev.

 

I hope this helps!!!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...