Dashboards & Visualizations

tokens and multiselect

Mohsin123
Path Finder

Hi ,
I have a case like this

index=i_prod (MemoryCached* OR MemoryTotal*) (host="vr" OR host="vfr") |table _time host MemoryCached* MemoryTotal*

i am passing host as muliselect token . MemoryCached and MemoryTotal and similar are fields in my index that are also i am fetching using a multiselect token using fieldsummary .

Now , i want to display a table statistics":

coloumns as

host MemoryTotal MemoryCached

Now , the query i am using above displays host as coloumn names but cant present the selected token as coloumn names

I am inteding an output like this

_time host MemoryCached MemoryTotal
2018-11-12 15:30:01 vgax16vr 1876791296 16649756672
2018-11-12 16:00:01 vgax16vr 1878134784 16649756672
2018-11-12 14:15:01 vgax16vr 1867366400 16649756672
2018-11-12 13:30:01 vgax16vr 1880264704 16649756672
2018-11-12 12:45:01 vgax17vr 1280692224 16649756672
2018-11-12 12:15:02 vgax16vr 1870192640 16649756672

Tags (1)
0 Karma

niketn
Legend

@Mohsin123 can you please add a bit more detail to your question? I feel the above output is what your current query should be providing. If not please share current output and expected output. Also share your current query.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Mohsin123
Path Finder

@niketn

index=idx_aprod (SwapFree OR MemoryTotal*) (host="*") source=Apigssor

| table _time host MemoryTotal SwapFree

Problem is :
multiselct tokens:
these are fields : (SwapFree OR MemoryTotal*)
host is a field : (host="")
host i can display as stats table , but when i am passing fields like swap
/memory* as tokens how to extract them and display as coloiumn values ...
hope u understand...if u wont mind, can u share your phone number
My results :

_time host MemoryTotal SwapFree
2018-11-13 15:00:02 vgax77vr 16649756672 9793662976
2018-11-13 15:00:02 vgax29vr 16649756672 9746841600
2018-11-13 15:00:01 vgax22vr 16649756672 10090438656
2018-11-13 15:00:02 vgax78vr 16649756672 9784999936
2018-11-13 15:00:01

0 Karma

Mohsin123
Path Finder

the results i am getting under host are values for the token host .
but memory* and Swap* are the field names i am [passing as tokens .
And i want to display their values for each host .
is there a way to create a new field for each token ...like $1=memoryfree , $2=swapfree
and i can display | table host $1 $2

0 Karma

Mohsin123
Path Finder

we create fields to tokens , here i want to create fields /colomns for each token value

0 Karma

niketn
Legend

@Mohsin123 seems like the table output in your question is your current search result. Can you show example of expected search result? Also use Code button 101010 to post SPL and data so that special characters do not escape.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Mohsin123
Path Finder

@niketnilay

0 Karma

Mohsin123
Path Finder

@renjith.nair

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...