Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Filter values in timechart for eval method
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Filter values in timechart for eval method
sawgata12345
Path Finder
04-25-2018
12:33 AM
Hi,
This is related to the question asked earlier
link: [https://answers.splunk.com/answers/643007/timechart-query-with-multiple-values-after-by.html#answer-...]
eval combination=sid."-".did."-".lun
for this sid,did and lun now i have three dropdowns where at page load first the sid gets filled up. Then upon selection of one sid , corresponding dids gets filled up, and selecting a did finally the lun dropdown gets filled up.
This is done.
The thing is if i do not select any of these the query in a panel should show result for all as below:
index="test19"|fields sid,did,lun,readio|eval combination=sid."-".did."-".lun | eval res = readio / 1 | timechart span=60 avg(res) as AVG usenull=f by combination
But if I select specific values of sid,did,lun from dropdowns then query should show only for those selected :
index="test19" sid=$sids$ did=$dids$ lun=$luns$|fields sid,did,lun,readio|eval combination=sid."-".did."-".lun | eval res = readio / 1 | timechart span=60 avg(res) as AVG usenull=f by combination
I have used "Dynamic Options"->search string to prefill the dropdowns. Now with this the "Token Options"->Default gets disabled, I cant add a default value so that if dropdown is not selected it takes for eg "" for lun=$$.
Also i need to change the eval part : eval combination=sid."-".did."-".lun
i.e if lun is not select in dropdown means all luns so it should be like
eval combination=sid."-".did
and not
eval combination=sid."-".did."-".lun
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TISKAR
Builder
04-25-2018
01:13 AM
Hello can you try this please,
<form>
<label>DropDownSelect</label>
<fieldset submitButton="false">
<input type="dropdown" token="sid">
<label>sid1</label>
<choice value="ALL">*</choice>
<choice value="sid1">sid1</choice>
<choice value="sid2">sid2</choice>
<choice value="sid3">sid3</choice>
</input>
<input type="dropdown" token="did">
<label>sid1</label>
<choice value="ALL">*</choice>
<choice value="did1">did1</choice>
<choice value="did2">did2</choice>
<choice value="did3">did3</choice>
</input>
<input type="dropdown" token="lun">
<label>sid1</label>
<choice value="ALL">*</choice>
<choice value="lun1">lun1</choice>
<choice value="lun2">lun2</choice>
<choice value="lun3">lun3</choice>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index="test19" sid=$sids$ did=$dids$ lun=$luns$|fields sid,did,lun,readio|eval combination=sid."-".did."-".lun | eval res = readio / 1 | timechart span=60 avg(res) as AVG usenull=f by combination</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sawgata12345
Path Finder
04-27-2018
03:38 AM
Hi,
The dropdown part is working, had to change
the option for all the dropdown "ALL" to *
For the second part of the query:
Also i need to change the eval part : eval combination=sid."-".did."-".lun
i.e if lun is not select in dropdown means all luns so it should be like
eval combination=sid."-".did
and not
eval combination=sid."-".did."-".lun
I have created three checkboxes:
how to check if a checkbox is selected and put the specific value for eval:
os if we select the sid checkbox only
eval combination=sid
if i select sid and did checkboxes
eval combination=sid."-".did
and if i select sid did and lun checkboxes
eval combination=sid."-".did."-".lun
The final value for combination in the below query should be after checking the selected checkboxes. How to check selected checkbox in a if condition inside the eval statement.
index="test19" sid="" did="" lun="*"|fields sid,did,lun,readio|eval combination=sid."-".did."-".lun | eval res = readio / 1 | timechart span=60 avg(res) as AVG usenull=f by combination
Get Updates on the Splunk Community!
Operationalizing TDIR: Building a More Resilient, Scalable SOC
Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...
Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust
Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...
Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination
Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...
