- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Filter out a subset of items based on another ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Filter out a subset of items based on another value in a CSV lookup
Hello again,
So lets say I have a CSV file that looks like the following:
node_code region_code
SAN AMERICAS
JPN APAC
NYC AMERICAS
CHN APAC
FRA EMEA
NUR EMEA
And lets say my search is the following:
<query>errorcode=$errorcode_tok$ | dedup em_event_alert | eval dv_node=upper(dv_node) | rex field=dv_node "(?P<testnode>\w{3})" | stats count by testnode</query>
And just for reference:
Field Definitions
- dv_node = The string that holds the hostname of devices
- em_event_alert = A unique alert ID #
What I'm trying to do is create a dropdown with a list of Regions. So in this example, if the user selects AMERICAS from the dropdown, I want to filter the search results to only display those corresponding items... in our case, SAN & NYC would be the values displayed.
As you can see in the search, it queries for the selected errorcode (don't worry, I already have that functionality figured out), dedup's, and then it takes the hostname, and makes the whole thing uppercase. Finally, we strip out just the first 3 letters (that's how I am able to match it up to the node_code field in the CSV). But I can't seem to determine how to start to create that search query. Any ideas would definitely be appreciated. Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
I believe the easiest way is the following:
% your query %
| lookup lookup_filename.csv node_code AS testnode
| search region_code=$token_drilldown$
| fields - region_code
Of course, you must change lookup_filename.csv and $token_drilldown$ with the names of your lookup and drilldown token.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure I follow in regards to the $token_drilldown$ variable. I've never used drilldown because as far as I know, its based on you clicking on something to go down further. I just want to utilize a dropdown menu with those values.
If you can go into more detail, maybe it would make sense; right now, I'm not seeing it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm sorry for typo, I meant $token_dropdown$ (not $token_drilldown$) as token from your dropdown list.
With the lookup command you'll create a new field region_code corresponding to testnode. And with search command you'll filter out all region codes except selected in dropdown list.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
