Splunk Search

Help on Spl query - dashboard Studio

jaibalaraman
Path Finder

How do i edit the below append command into my real time environment 

The below source are obtain from Splunk Dasboard Studio 

 | makeresults count=50
| eval app="Web Server"
| eval type="User"
| append
[ makeresults count=28
| eval app="Web Server"
| eval type="System"
]
| append
[ makeresults count=22
| eval app="Web Server"
| eval type="Idle"
]
| append
[makeresults count=22
| eval app="Network"
| eval type="User"
]
| append
[ makeresults count=48
| eval app="Network"
| eval type="System"
]| append
[ makeresults count=30
| eval app="Network"
| eval type="Idle"
]
| append
[makeresults count=65
| eval app="Load Balancer"
| eval type="User"
]
| append
[ makeresults count=17
| eval app="Load Balancer"
| eval type="System"
]
| append
[ makeresults count=18
| eval app="Load Balancer"
| eval type="Idle"
]

| append
[makeresults count=50
| eval app="Storage"
| eval type="User"
]
| append
[ makeresults count=27
| eval app="Storage"
| eval type="System"
]
| append
[ makeresults count=23
| eval app="Storage"
| eval type="Idle"
]
| append
[makeresults count=18
| eval app="Database"
| eval type="User"
]

| append
[ makeresults count=60
| eval app="Database"
| eval type="System"
]
| append
[ makeresults count=22
| eval app="Database"
| eval type="Idle"
]

| append
[makeresults count=50
| eval app="Security"
| eval type="User"
]
| append
[ makeresults count=12
| eval app="Security"
| eval type="System"
]
| append
[ makeresults count=38
| eval app="Security"
| eval type="Idle"
]

| append
[makeresults count=45
| eval app="Auth Server"
| eval type="User"
]
| append
[ makeresults count=32
| eval app="Auth Server"
| eval type="System"
]
| append
[ makeresults count=23
| eval app="Auth Server"
| eval type="Idle"
]

| append
[makeresults count=50
| eval app="CDN"
| eval type="User"
]

| append
[ makeresults count=28
| eval app="CDN"
| eval type="System"
]
| append
[ makeresults count=22
| eval app="CDN"
| eval type="Idle"
]

| chart count by app, type
| eval sort_field=case(app=="Login",1,app=="Search",2,app=="Cart",3,app=="Pricing",4,app=="Checkout",5,app=="Order Management",6,app=="Gifting",7,app=="Chat",8)
| sort sort_field
| table app, User, System, Idle

jaibalaraman_0-1683852910658.png

 

My current splunk 

jaibalaraman_1-1683853084601.png

index=sample  x_host_header=www.sample.com

| eval Device = if(match(useragent,"SM-"),"Android", if(match(useragent,"Windows"),"Windows",if(match(useragent,"Mac"),"Mac",if(match(useragent,"CPH"),"Android",if(match(useragent,"Nokia"),"Android",if(match(cs_user_agent,"Pixel"),"Android",if(match(useragent,"TB-"),"Android",if(match(useragent,"VFD"),"Android",if(match(useragent,"HP%20Pro%20Slate"),"Android",if(match(cs_user_agent,"VOG-L09"),"Android",if(match(useragent,"YAL-L21"),"Android",if(match(useragent,"ATU-L22"),"Android",if(match(useragent,"MAR-LX1A"),"Android",if(match(useragent,"RNE-L22"),"Android",if(match(useragent,"INE-LX2"),"Android",if(match(useragent,"AMN-LX2"),"Android",if(match(useragent,"LYO-LO2"),"Android",if(match(useragent,"DRA-LX9"),"Android",if(match(useragent,"LYA-L29"),"Android",if(match(useragent,"ANE-LX2J"),"Android",if(match(useragent,"STK-L22"),"Android",if(match(useragent,"EML-AL00"),"Android",if(match(useragent,"BLA-L29"),"Android",if(match(useragent,"X11"),"Linux",if(match(useragent,"LDN-LX2"),"Android",if(match(useragent,"TB3-"),"Android",if(match(useragent,"5033T"),"Android",if(match(useragent,"5028D"),"Android",if(match(useragent,"5002X"),"Android",if(match(useragent,"COR-"),"Android",if(match(useragent,"MI%20MAX"),"Android",if(match(useragent,"WAS-LX2"),"Android",if(match(useragent,"vivo"),"Android",if(match(useragent,"EML-L29"),"Android",if(match(useragent ent,"Moto"),"Android",if(match(useragent,"MMB"),"Android", OTHER"))))))))))))))))))))))))))

Tags (1)
0 Karma

jaibalaraman
Path Finder

Yes , i have created eval spl query to find out the list mobile device ( Android / Mac / Windows/ Bot / Linux/ duckgo )

Please find below eval command which is working 100% fine , spl command are shared in the my previous chat 

 

index=sample  x_host_header=www.sample.com

| eval Device = if(match(useragent,"SM-"),"Android", if(match(useragent,"Windows"),"Windows",if(match(useragent,"Mac"),"Mac",if(match(useragent,"CPH"),"Android",if(match(useragent,"Nokia"),"Android",if(match(cs_user_agent,"Pixel"),"Android",if(match(useragent,"TB-"),"Android",if(match(useragent,"VFD"),"Android",if(match(useragent,"HP%20Pro%20Slate"),"Android",if(match(cs_user_agent,"VOG-L09"),"Android",if(match(useragent,"YAL-L21"),"Android",if(match(useragent,"ATU-L22"),"Android",if(match(useragent,"MAR-LX1A"),"Android",if(match(useragent,"RNE-L22"),"Android"

jaibalaraman_0-1683889906404.png

What i am trying to achieve 

I creating Dashboard studio for our application , where i am trying to reverse engineer from already created predefined dashboard studio 

The output which i am expecting is to see the list of user who are using Android / Mac / Windows / Linux / Duckduck go 

I am not sure about how to edit the below append function which will give me the output 

 

 | makeresults count=50
| eval app="Web Server"
| eval type="User"
| append
[ makeresults count=28
| eval app="Web Server"
| eval type="System"
]
| append
[ makeresults count=22
| eval app="Web Server"
| eval type="Idle"
]
| append
[makeresults count=22
| eval app="Network"
| eval type="User"
]
| append
[ makeresults count=48
| eval app="Network"
| eval type="System"
]| append
[ makeresults count=30
| eval app="Network"
| eval type="Idle"
]
| append
[makeresults count=65
| eval app="Load Balancer"
| eval type="User"
]
| append
[ makeresults count=17
| eval app="Load Balancer"
| eval type="System"
]
| append
[ makeresults count=18
| eval app="Load Balancer"
| eval type="Idle"
]

| append
[makeresults count=50
| eval app="Storage"
| eval type="User"
]
| append
[ makeresults count=27
| eval app="Storage"
| eval type="System"
]
| append
[ makeresults count=23
| eval app="Storage"
| eval type="Idle"
]
| append
[makeresults count=18
| eval app="Database"
| eval type="User"
]

| append
[ makeresults count=60
| eval app="Database"
| eval type="System"
]
| append
[ makeresults count=22
| eval app="Database"
| eval type="Idle"
]

| append
[makeresults count=50
| eval app="Security"
| eval type="User"
]
| append
[ makeresults count=12
| eval app="Security"
| eval type="System"
]
| append
[ makeresults count=38
| eval app="Security"
| eval type="Idle"
]

| append
[makeresults count=45
| eval app="Auth Server"
| eval type="User"
]
| append
[ makeresults count=32
| eval app="Auth Server"
| eval type="System"
]
| append
[ makeresults count=23
| eval app="Auth Server"
| eval type="Idle"
]

| append
[makeresults count=50
| eval app="CDN"
| eval type="User"
]

| append
[ makeresults count=28
| eval app="CDN"
| eval type="System"
]
| append
[ makeresults count=22
| eval app="CDN"
| eval type="Idle"
]

| chart count by app, type
| eval sort_field=case(app=="Login",1,app=="Search",2,app=="Cart",3,app=="Pricing",4,app=="Checkout",5,app=="Order Management",6,app=="Gifting",7,app=="Chat",8)
| sort sort_field
| table app, User, System, Idle

 

Thanks 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Edit the data source or create a new one based on your search and update the panel to use the new / updated data source

0 Karma

jaibalaraman
Path Finder

Sorry, i am trying to achieve the same output which i have used with eval apply the same concept for the dashboard studio.  Not sure how do i edit t

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Open the dashboard and click on the edit option

ITWhisperer_0-1683893133381.png

Then click on the edit Data Overview button

ITWhisperer_1-1683893180525.png

Click on the pencil for the search you want to update

ITWhisperer_2-1683893259543.png

Or create a new search

ITWhisperer_3-1683893284955.png

Paste your search into the Search with SPL box

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What is it that you are trying to achieve?

By the way, you could convert the series of nested if functions to a case function.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...