Splunk Search

Base search query for different dashboard panels

bagarwal
Path Finder

Hello Everyone,

I am new to base search and need some help from you.

With the help of base search, I want to prepare a dashboard where can get the display of different applications installed in the network respectively. e.g. no of Chrome, Mozilla, Skype , etc in different panels.

Filtering search query likely Product_name = "Chrome" OR Product_name="Skype"

Note: Using -- instead of html tag as it is not allowing while posting this post. Thanks for understanding.

Base query what I have written is:
--search id="product_name>
“index="index_name" (ProductName=#1# OR ProductName=#2# OR ProductName=#3# OR etc.) | dedup host, ProductName | stats count
--/search>

and the main query:
--search base="product_name">
--query> stats count --/query>
--/search>

Basically , where I got stuck is I want the stats count but while filtering product name do I need to mention in the base query or later in the main query and how to do that for different product_name in different dashboard panels referring to base search.

Please help.

Thanks in advance,

Binay Agarwal

Tags (2)
0 Karma
1 Solution

rjthibod
Champion

First, note that you can post code/xml is readable format using the button on the text format toolbar that looks like two rows of binary numbers. That will give you a text box to enter code. You can also use the back-tick character to wrap code.

Now, getting to your question. It seems like you left some details from your original post. If I interpreted things correct, my guess is you want to display the number of hosts for specific products. Is that correct?

If so, you would want to do the following. Note, you were missing <query></query> in your base search, and the use of dedup is unnecessary if you are just counting hosts by ProductName.

<!-- your base search -->
<search id="product_name>
  <query>
    index="index_name" (ProductName=#1# OR ProductName=#2# OR ProductName=#3# OR etc.) 
    | stats count by host ProductName
  </query>
</search>

<!-- in your skype panel -->
<search base="product_name>
  <query>
    search ProductName="Skype"
    | stats count
  </query>
</search>

<!-- in your Chrome panel -->
<search base="product_name>
  <query>
    search ProductName="Chrome"
    | stats count
  </query>
</search

View solution in original post

DalJeanis
Legend

@bagarwal - you can use the "code" button - the one that looks like "101 010" - to mark a section of text as "code" so that the system will not mess with your formatting and html-like entries. You could also put a grave accent (looks like this ` ) in front of and after the code, to accomplish the same thing. AND, you can also indent the code with four or more spaces in front of each line, that will also mark it as code. Hmm. There's a couple more ways, but one of those should help you next time you need to post a chunk of code.

0 Karma

rjthibod
Champion

First, note that you can post code/xml is readable format using the button on the text format toolbar that looks like two rows of binary numbers. That will give you a text box to enter code. You can also use the back-tick character to wrap code.

Now, getting to your question. It seems like you left some details from your original post. If I interpreted things correct, my guess is you want to display the number of hosts for specific products. Is that correct?

If so, you would want to do the following. Note, you were missing <query></query> in your base search, and the use of dedup is unnecessary if you are just counting hosts by ProductName.

<!-- your base search -->
<search id="product_name>
  <query>
    index="index_name" (ProductName=#1# OR ProductName=#2# OR ProductName=#3# OR etc.) 
    | stats count by host ProductName
  </query>
</search>

<!-- in your skype panel -->
<search base="product_name>
  <query>
    search ProductName="Skype"
    | stats count
  </query>
</search>

<!-- in your Chrome panel -->
<search base="product_name>
  <query>
    search ProductName="Chrome"
    | stats count
  </query>
</search

bagarwal
Path Finder

Thanks a lot. It works 🙂 🙂

0 Karma

bagarwal
Path Finder
Hi, 

Thanks for the valuable input.  

I ran my query like this below but somehow result is not coming. 
<!-- base search-->
  <search id="product_name">
    <query>index="index_name" (ProductName="Google Chrome" OR ProductName="Skype") | stats count</query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <title>Google Chrome</title>
        <search base="product_name">
          <query>search ProductName="Google Chrome" | stats count</query>
        </search>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <single>
        <title>Skype</title>
        <search base="product_name">
          <query>search ProductName="Skype" | stats count</query>
        </search>
      </single>
    </panel>
  </row>


Not sure where it is missing or where I am doing wrong.  If I ran the above base query as normal search I could get the count but when it passes  to the query for panel - no result is coming.  

Will be really thankful if it can be fixed.  

Thanks & Regards,
Binay Agarwal 
0 Karma

rjthibod
Champion

Try this. You are missing ProductName and host in the base search. Your previous post removed those fields when you run stats count with no by clause

   <search id="product_name">
     <query>index="index_name" (ProductName="Google Chrome" OR ProductName="Skype") | stats count by ProductName host</query>
     <earliest>$field1.earliest$</earliest>
     <latest>$field1.latest$</latest>
   </search>
   <fieldset submitButton="false">
     <input type="time" token="field1">
       <label></label>
       <default>
         <earliest>-24h@h</earliest>
         <latest>now</latest>
       </default>
     </input>
   </fieldset>
   <row>
     <panel>
       <single>
         <title>Google Chrome</title>
         <search base="product_name">
           <query>search ProductName="Google Chrome" | stats count</query>
         </search>
       </single>
     </panel>
   </row>
   <row>
     <panel>
       <single>
         <title>Skype</title>
         <search base="product_name">
           <query>search ProductName="Skype" | stats count</query>
         </search>
       </single>
     </panel>
   </row>
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...