Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Filter values in timechart for eval method

sawgata12345
Path Finder
‎04-25-2018 12:33 AM

Hi,
This is related to the question asked earlier
link: [https://answers.splunk.com/answers/643007/timechart-query-with-multiple-values-after-by.html#answer-...]

eval combination=sid."-".did."-".lun

for this sid,did and lun now i have three dropdowns where at page load first the sid gets filled up. Then upon selection of one sid , corresponding dids gets filled up, and selecting a did finally the lun dropdown gets filled up.
This is done.
The thing is if i do not select any of these the query in a panel should show result for all as below:
index="test19"|fields sid,did,lun,readio|eval combination=sid."-".did."-".lun | eval res = readio / 1 | timechart span=60 avg(res) as AVG usenull=f by combination

But if I select specific values of sid,did,lun from dropdowns then query should show only for those selected :
index="test19" sid=$sids$ did=$dids$ lun=$luns$|fields sid,did,lun,readio|eval combination=sid."-".did."-".lun | eval res = readio / 1 | timechart span=60 avg(res) as AVG usenull=f by combination

I have used "Dynamic Options"->search string to prefill the dropdowns. Now with this the "Token Options"->Default gets disabled, I cant add a default value so that if dropdown is not selected it takes for eg "" for lun=$$.

Also i need to change the eval part : eval combination=sid."-".did."-".lun
i.e if lun is not select in dropdown means all luns so it should be like
eval combination=sid."-".did
and not
eval combination=sid."-".did."-".lun

Tags (2)
0 Karma
Reply

TISKAR
Builder
‎04-25-2018 01:13 AM

Hello can you try this please,

<form>
  <label>DropDownSelect</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="sid">
      <label>sid1</label>
      <choice value="ALL">*</choice>
      <choice value="sid1">sid1</choice>
      <choice value="sid2">sid2</choice>
      <choice value="sid3">sid3</choice>

    </input>

    <input type="dropdown" token="did">
      <label>sid1</label>
      <choice value="ALL">*</choice>
      <choice value="did1">did1</choice>
      <choice value="did2">did2</choice>
      <choice value="did3">did3</choice>
    </input>

     <input type="dropdown" token="lun">
      <label>sid1</label>
      <choice value="ALL">*</choice>
      <choice value="lun1">lun1</choice>
      <choice value="lun2">lun2</choice>
      <choice value="lun3">lun3</choice>
    </input>
  </fieldset>

  <row>
    <panel>
      <table>
        <search>
          <query>index="test19" sid=$sids$ did=$dids$ lun=$luns$|fields sid,did,lun,readio|eval combination=sid."-".did."-".lun | eval res = readio / 1 | timechart span=60 avg(res) as AVG usenull=f by combination</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply

sawgata12345
Path Finder
‎04-27-2018 03:38 AM

Hi,
The dropdown part is working, had to change

the option for all the dropdown "ALL" to *

For the second part of the query:
Also i need to change the eval part : eval combination=sid."-".did."-".lun
i.e if lun is not select in dropdown means all luns so it should be like
eval combination=sid."-".did
and not
eval combination=sid."-".did."-".lun

I have created three checkboxes:
how to check if a checkbox is selected and put the specific value for eval:
os if we select the sid checkbox only
eval combination=sid
if i select sid and did checkboxes
eval combination=sid."-".did
and if i select sid did and lun checkboxes
eval combination=sid."-".did."-".lun

The final value for combination in the below query should be after checking the selected checkboxes. How to check selected checkbox in a if condition inside the eval statement.

index="test19" sid="" did="" lun="*"|fields sid,did,lun,readio|eval combination=sid."-".did."-".lun | eval res = readio / 1 | timechart span=60 avg(res) as AVG usenull=f by combination

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...