Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

In Splunk Enterprise Security, how do you change a query result when a drop down option is selected within a panel?

bhaskarasplunk
Explorer
‎02-25-2019 01:56 PM

Hi,

I have four options in a drop down--- Highest,Lowest ,Top 5 and Least 5.

Each option has a query:

For example : 'Highest' is based on the query: 

index=_internal idx=* source=*license_usage.log type=Usage |  eval totalMB = b/1024/1024  | eval totalGB = totalMB /1024 | rename idx as Index | stats sum(totalGB) by Index|rename sum(totalGB) as "License Usage"|sort -"License Usage"|head 1

For example : 'Top 5' is based on the query: 

index=_internal idx="*" source=*license_usage.log type=Usage |  eval totalMB = b/1024/1024  | eval totalGB = totalMB /1024 
| rename idx as Index |stats sum(totalGB) as LicenseUsage by Index |where LicenseUsage >5|sort -LicenseUsage

So, if I select the one option, the results of that particular option and query should come on the panel.

Can you please help me with the code as I have a problem building the exact code to link each search with the associated drop down option.

Thanks,

Bhaskar

0 Karma
Reply

lakshman239
Influencer
‎02-26-2019 04:41 AM

yes, you need to capture the selected value on to a token, which you can use later.

Also, as your search seems to be common, suggest, you use base and post-process search.

your base search can be

index=_internal idx="*" source=*license_usage.log type=Usage | eval totalMB = b/1024/1024 | eval totalGB = totalMB /1024
| rename idx as Index |stats sum(totalGB) as LicenseUsage by Index

Then in the post process search, you can use the token

 where LicenseUsage > $token_value$

https://docs.splunk.com/Documentation/Splunk/7.2.4/Viz/Savedsearches

0 Karma
Reply

Vijeta
Influencer
‎02-25-2019 04:13 PM

@bhaskarasplunk for each value you need to set a token. for example if your drilldown value is highest set the token highest to 1, of value is lowest , set a token name it lowest to 1 and similarly for Top 5 and least 5

<change>
  <condition value="Highest">
    <set token="Highest">1</set>
    <unset token="lowest"></unset>
    <unset token="least5"></unset>
    <unset token="top5"></unset>
 <condition value="lowest">
    <unset token="Highest"></unset>
    <set token="lowest">1</set>
    <unset token="least5"></unset>
    <unset token="top5"></unset>
----
----
</condition>
</change>

. For each query use depends for example for query for highest..use <search depends=$Highest$>

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...