Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filter values in timechart for eval method

sawgata12345
Path Finder
‎04-25-2018 12:33 AM

Hi,
This is related to the question asked earlier
link: [https://answers.splunk.com/answers/643007/timechart-query-with-multiple-values-after-by.html#answer-...]

eval combination=sid."-".did."-".lun

for this sid,did and lun now i have three dropdowns where at page load first the sid gets filled up. Then upon selection of one sid , corresponding dids gets filled up, and selecting a did finally the lun dropdown gets filled up.
This is done.
The thing is if i do not select any of these the query in a panel should show result for all as below:
index="test19"|fields sid,did,lun,readio|eval combination=sid."-".did."-".lun | eval res = readio / 1 | timechart span=60 avg(res) as AVG usenull=f by combination

But if I select specific values of sid,did,lun from dropdowns then query should show only for those selected :
index="test19" sid=$sids$ did=$dids$ lun=$luns$|fields sid,did,lun,readio|eval combination=sid."-".did."-".lun | eval res = readio / 1 | timechart span=60 avg(res) as AVG usenull=f by combination

I have used "Dynamic Options"->search string to prefill the dropdowns. Now with this the "Token Options"->Default gets disabled, I cant add a default value so that if dropdown is not selected it takes for eg "" for lun=$$.

Also i need to change the eval part : eval combination=sid."-".did."-".lun
i.e if lun is not select in dropdown means all luns so it should be like
eval combination=sid."-".did
and not
eval combination=sid."-".did."-".lun

Tags (2)
0 Karma
Reply

TISKAR
Builder
‎04-25-2018 01:13 AM

Hello can you try this please,

<form>
  <label>DropDownSelect</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="sid">
      <label>sid1</label>
      <choice value="ALL">*</choice>
      <choice value="sid1">sid1</choice>
      <choice value="sid2">sid2</choice>
      <choice value="sid3">sid3</choice>

    </input>

    <input type="dropdown" token="did">
      <label>sid1</label>
      <choice value="ALL">*</choice>
      <choice value="did1">did1</choice>
      <choice value="did2">did2</choice>
      <choice value="did3">did3</choice>
    </input>

     <input type="dropdown" token="lun">
      <label>sid1</label>
      <choice value="ALL">*</choice>
      <choice value="lun1">lun1</choice>
      <choice value="lun2">lun2</choice>
      <choice value="lun3">lun3</choice>
    </input>
  </fieldset>

  <row>
    <panel>
      <table>
        <search>
          <query>index="test19" sid=$sids$ did=$dids$ lun=$luns$|fields sid,did,lun,readio|eval combination=sid."-".did."-".lun | eval res = readio / 1 | timechart span=60 avg(res) as AVG usenull=f by combination</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply

sawgata12345
Path Finder
‎04-27-2018 03:38 AM

Hi,
The dropdown part is working, had to change

the option for all the dropdown "ALL" to *

For the second part of the query:
Also i need to change the eval part : eval combination=sid."-".did."-".lun
i.e if lun is not select in dropdown means all luns so it should be like
eval combination=sid."-".did
and not
eval combination=sid."-".did."-".lun

I have created three checkboxes:
how to check if a checkbox is selected and put the specific value for eval:
os if we select the sid checkbox only
eval combination=sid
if i select sid and did checkboxes
eval combination=sid."-".did
and if i select sid did and lun checkboxes
eval combination=sid."-".did."-".lun

The final value for combination in the below query should be after checking the selected checkboxes. How to check selected checkbox in a if condition inside the eval statement.

index="test19" sid="" did="" lun="*"|fields sid,did,lun,readio|eval combination=sid."-".did."-".lun | eval res = readio / 1 | timechart span=60 avg(res) as AVG usenull=f by combination

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...