Hi,
I have four options in a drop down--- Highest,Lowest ,Top 5 and Least 5.
Each option has a query:
For example : 'Highest' is based on the query:
index=_internal idx=* source=*license_usage.log type=Usage | eval totalMB = b/1024/1024 | eval totalGB = totalMB /1024 | rename idx as Index | stats sum(totalGB) by Index|rename sum(totalGB) as "License Usage"|sort -"License Usage"|head 1
For example : 'Top 5' is based on the query:
index=_internal idx="*" source=*license_usage.log type=Usage | eval totalMB = b/1024/1024 | eval totalGB = totalMB /1024
| rename idx as Index |stats sum(totalGB) as LicenseUsage by Index |where LicenseUsage >5|sort -LicenseUsage
So, if I select the one option, the results of that particular option and query should come on the panel.
Can you please help me with the code as I have a problem building the exact code to link each search with the associated drop down option.
Thanks,
Bhaskar
yes, you need to capture the selected value on to a token, which you can use later.
Also, as your search seems to be common, suggest, you use base and post-process search.
your base search can be
index=_internal idx="*" source=*license_usage.log type=Usage | eval totalMB = b/1024/1024 | eval totalGB = totalMB /1024
| rename idx as Index |stats sum(totalGB) as LicenseUsage by Index
Then in the post process search, you can use the token
where LicenseUsage > $token_value$
https://docs.splunk.com/Documentation/Splunk/7.2.4/Viz/Savedsearches
@bhaskarasplunk for each value you need to set a token. for example if your drilldown value is highest set the token highest to 1, of value is lowest , set a token name it lowest to 1 and similarly for Top 5 and least 5
<change>
<condition value="Highest">
<set token="Highest">1</set>
<unset token="lowest"></unset>
<unset token="least5"></unset>
<unset token="top5"></unset>
<condition value="lowest">
<unset token="Highest"></unset>
<set token="lowest">1</set>
<unset token="least5"></unset>
<unset token="top5"></unset>
----
----
</condition>
</change>
. For each query use depends for example for query for highest..use <search depends=$Highest$>