Splunk ITSI

Is it possible to rename with "as" function for charted value from a single column?

elomotanpru
Path Finder

Hi Splunk Masters,

Currently stomped and couldn't find the solution through the forums.

I have to chart the values from this particular column that his 50 different instances that change per different input in the dropdown (kindly refer to the code and screenshots for reference). 

Currently searching  for a way to rename the values in the legend so that I could pass it in a drilldown to another dashboard. Is there a way to do it for the single column?

<edit>

I would want either to rename it or add the four (4) alphanumeric characters from the dropdown plus a <space>, < - >, and <space> before the series names.

For example, when the user selects D7X0, the output on the right is what the search would produce and the one on the left is my desired outcome:

BATPLOWD7X0 - BATPLOW
BATTLOWD7X0 - BATTLOW
D7X0WGHTD7X0 - D7X0WGHT
DDFTMEDD7X0 - DDFTMED
MQDFLTD7X0 - MQDFLT
STCHID7X0 - STCHI
STCLOWD7X0 - STCLOW
SYSSTCD7X0 - SYSSTC
SYSTEMD7X0 - SYSTEM
TSOMEDD7X0 - TSOMED
OTHERD7X0 - OTHER

</edit>

Thanks

elomotanpru_0-1654874915196.png

elomotanpru_1-1654874941936.png

 

 

<form theme="dark">
  <label>CSC/ERSC/PSI_SRVCLASS_Report</label>
  <fieldset submitButton="true" autoRun="true">
    <input type="dropdown" token="lpar">
      <label>Select to View</label>
      <choice value="-LPAR-">-LPAR-</choice>
      <choice value="D7X0">D7X0</choice>
      <choice value="H7X0">H7X0</choice>
      <choice value="D1D0">D1D0</choice>
      <choice value="DAD0">DAD0</choice>
      <choice value="E1D0">E1D0</choice>
      <choice value="H1D0">H1D0</choice>
      <choice value="WSYS">WSYS</choice>
      <choice value="YSYS">YSYS</choice>
      <default>-LPAR-</default>
    </input>
    <input type="text" token="from">
      <label>From MM/DD/YYYY</label>
      <default>01/01/2022</default>
    </input>
    <input type="text" token="to">
      <label>To MM/DD/YYYY</label>
      <default>01/31/2022</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>$lpar$ $from$ $to$</title>
      <chart>
        <title>Shows the Average of each Service Class</title>
        <search>
          <query>index=mainframe-platform sourcetype="mainframe:serviceclass" 
MVS_SYSTEM_ID=$lpar$
| eval DATE=strftime(strptime(DATE,"%d%b%Y"),"%Y-%m-%d")
| eval _time=strptime(DATE." ","%Y-%m-%d")
| where _time &gt;= strptime("$from$", "%m/%d/%Y") AND _time &lt;= strptime("$to$", "%m/%d/%Y")
| chart avg(MIPS_UTIL) over DATE by SRVCLASS</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option>
        <option name="charting.axisLabelsY.majorUnit">200</option>
        <option name="charting.axisTitleX.text">Dates</option>
        <option name="charting.axisY.minimumNumber">0</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.overlayFields">D7X0WGHT,H7X0WGHT,D1D0WGHT,DAD0WGHT,E1D0WGHT,H1D0WGHT,WSYSWGHT,YSYSWGHT</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">top</option>
        <option name="height">468</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>

 

 

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

If you want to use the token, try forcing it to be a string

index=mainframe-platform sourcetype="mainframe:serviceclass"
MVS_SYSTEM_ID=$lpar$
| eval DATE=strftime(strptime(DATE,"%d%b%Y"),"%Y-%m-%d")
| eval _time=strptime(DATE." ","%Y-%m-%d")
| where _time >= strptime("$from$", "%m/%d/%Y") AND _time <= strptime("$to$", "%m/%d/%Y")
| eval SRVCLASS=$lpar|s$." - ".SRVCLASS
| chart sum(MIPS_UTIL) over DATE by SRVCLASS

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

It is not clear what you want to rename and when. Do you want to rename the series names? Do you just want to include the series name in the drilldown? Or something else?

0 Karma

elomotanpru
Path Finder

Apologies on that. Will edit the post to make it more clear.
I would want either to rename it or add the four (4) alphanumeric characters from the dropdown plus a <space>, < - >, and <space> before the series names.

For example, when the user selects D7X0, the output on the right is what the search would produce and the one on the left is my desired outcome:

BATPLOWD7X0 - BATPLOW
BATTLOWD7X0 - BATTLOW
D7X0WGHTD7X0 - D7X0WGHT
DDFTMEDD7X0 - DDFTMED
MQDFLTD7X0 - MQDFLT
STCHID7X0 - STCHI
STCLOWD7X0 - STCLOW
SYSSTCD7X0 - SYSSTC
SYSTEMD7X0 - SYSTEM
TSOMEDD7X0 - TSOMED
OTHERD7X0 - OTHER

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

          <query>index=mainframe-platform sourcetype="mainframe:serviceclass" 
MVS_SYSTEM_ID=$lpar$
| eval DATE=strftime(strptime(DATE,"%d%b%Y"),"%Y-%m-%d")
| eval _time=strptime(DATE." ","%Y-%m-%d")
| where _time &gt;= strptime("$from$", "%m/%d/%Y") AND _time &lt;= strptime("$to$", "%m/%d/%Y")
| eval SRVCLASS=MVS_SYSTEM." - ".SRVCLASS
| chart avg(MIPS_UTIL) over DATE by SRVCLASS</query>
0 Karma

elomotanpru
Path Finder

I tried that and also this version on a table panel but both instances gave the same "NULL" result.

Was wondering if there was a way to code it within the source to condition each of the values to the desired outcome.

The only downside would that if someone else works on the code might not be able to figure it out. But I can work that out through documentation if this would be possible. Will continue my search with this kind of a method.

elomotanpru_0-1654884989978.png

index=mainframe-platform sourcetype="mainframe:serviceclass"
MVS_SYSTEM_ID=$lpar$
| eval DATE=strftime(strptime(DATE,"%d%b%Y"),"%Y-%m-%d")
| eval _time=strptime(DATE." ","%Y-%m-%d")
| where _time >= strptime("$from$", "%m/%d/%Y") AND _time <= strptime("$to$", "%m/%d/%Y")
| eval SRVCLASS=$lpar$." - ".SRVCLASS
| chart sum(MIPS_UTIL) over DATE by SRVCLASS

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If you want to use the token, try forcing it to be a string

index=mainframe-platform sourcetype="mainframe:serviceclass"
MVS_SYSTEM_ID=$lpar$
| eval DATE=strftime(strptime(DATE,"%d%b%Y"),"%Y-%m-%d")
| eval _time=strptime(DATE." ","%Y-%m-%d")
| where _time >= strptime("$from$", "%m/%d/%Y") AND _time <= strptime("$to$", "%m/%d/%Y")
| eval SRVCLASS=$lpar|s$." - ".SRVCLASS
| chart sum(MIPS_UTIL) over DATE by SRVCLASS

elomotanpru
Path Finder

This worked. Never knew you could use tokens like that.

Thanks so much for the help again! 😁

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...