Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I filter results based on the "Status" field produced by a saved search?

vtsguerrero
Contributor
‎04-06-2015 01:06 PM

Hello guys! Sup?

Well, I have a saved search which produces a status field based on an average field and a difference field, so, events from this saved search have a field called Status which can be "green", "yellow" or "red". The point is... In another separated view, I need to load this saved search and filter its results based on the input type radio - green, yellow and red.
How can I achieve that using this saved search ( report )?
Thanks in advance!

0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎04-06-2015 01:26 PM

You'll need to add the report to a dashboard. Then you'll need to add a form input. The form input will then let you define a token, which gets put into the search in the dashboard.

See this as a good example (ignore the app creation part): http://dev.splunk.com/view/webframework-htmldashboards/SP-CAAAETQ

Here is another useful page: http://docs.splunk.com/Documentation/Splunk/6.2.2/Viz/Buildandeditforms

Here is a useful cheatsheet: http://blogs.splunk.com/wp-content/uploads/2013/05/form_cheatsheet.pdf

Here is a relatively sloppy example:
1.) Go to your dashboard
2.) Add your saved search / report
3.) Edit > Edit Source, and add

<input type="radio" token="status)token">
     <label>Select a status</label>
     <choice value="green">Green</choice>
     <choice value="yellow">Yellow</choice>
     <choice value="red">red</choice>
</input>

Now, go to where your search is in the source, and replace the part of your search with your $status_token$.

<row>
    <panel>
      <!-- Use tokens from the <input> elements in the panel title -->
      <title>
        Visualization of $status_token$ Values
      </title>

      <chart>

        <!-- search for the visualization, references the input tokens-->
        <search>
          <query>
            index=my_fave_index status=$status_token$
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>

       </chart>

    </panel>
  </row>

Edit in response to comments:

You could, for example, use whats called a global search.

<!-- This defines your "global search" -->
  <search id="global_search" ref="main_search_report"></search>


  <!-- This defines your token -->
  <input type="radio" token="status_token">
    <label>Select a status</label>
    <choice value="green">Green</choice>
    <choice value="yellow">Yellow</choice>
    <choice value="red">red</choice>
  </input>


  <!-- This defines your second search -->
  <row>
    <panel>
      <table>
        <search base="global_search">
          <query>| search STATUS=$status_token$</query>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
      </table>
    </panel>
  </row>

See this link for more help: http://docs.splunk.com/Documentation/Splunk/6.2.2/Viz/Buildandeditforms#Create_a_form_with_a_global_...

Reply

vtsguerrero
Contributor
‎04-07-2015 06:53 AM

Hello @aljohnson_splunk !
But the thing is, this saved search will be used in another query for future dashboards, will it be able to filter status even after the saved search has been done, so I can use it like SQL Temp Table for example, should be like a query inside a query...

0 Karma
Reply

vtsguerrero
Contributor
‎04-07-2015 08:48 AM

For example, this is my current Report:

PROCESS LAST_VOLUME AVERAGE_VOLUME  VARIATION_VOLUME    STATUS
BD2VC001    66057315    65995566.000000 0.09356537680   Green
BD2VC002    49328988    49160912.750000 0.34188797685   Green
BD2VC003    105138577   105195031.000000    0.0536660329517 Green
BD1VC004    689874  236995.000000   191.092217135   Red

I'm going to use this report in another dashboard, wich is gonna use a Status Input Filter, should I make a report for each status and use the token for name of the report or can I filter by status after the report is done with all the possible status?

0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎04-07-2015 01:17 PM

I updated my answer to what I would do, which is use a global search, but, a lot of this is preference, or dependent on what your data looks like. Global searches have limitations that might make them the wrong choice here.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...