Splunk Search

How can I use a source folder as a input token?

Hi guys!
I have a bunch of test data in JSON files as my sources and they're structured in the following way:
"/MyFolder/ProjectName/RunID/jsonFile" such as for example "/MyFolder/test1/47/ErrorMessages.json".
I want to populate two drop down menus in my dashboards with ProjectName and RunID.
So that the first drop down get populated with Project names that the user can select. I then use this selection as a token in the second drop down menu and populate it with all the runs for that project. I now have two tokens that I can use for searching.
How can I best go about this? If there's a search I can do directly in Splunk to table all the project names and RunIDs this would of course be the easiest and most ideal. Otherwise I guess I'd have to start looking into creating a regEx or a lookup, but I'm not very proficient at those =p
Any help is greatly appreciated!
Thanks you!

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Since the ProjectName and RunID as part of the source/file path is something custom to your requirement, there will not be any readily available table to get you that.

Once this you can try is to run a metadata/tstats search to get list of all sources (for your index/sourcetype of course) and use field extraction to get those values listed/made available for dashboard dropdowns. Following search can give you list of ProjectName adn RunID from the source:-

| tstats count WHRE index=PutYourIndex sourcetype=PutYourSourceType by source | rex field=source "^\/[^\/]+\/(?<ProjectName>[^\/]+)\/(?<RunID>[^\/]+)" | stats count by ProjectName RunID | table ProjectName RunID

Now you can either use the search directly for the dropdown OR setup a scheduled search to write this data into a lookup file and then use the lookup file for the dropdown.

View solution in original post

New Member

do you want something like this?
| rex field=source "\/(?P[^\/]+)\/(?P[^\/]+)\/(?P[^\/]+)"

0 Karma

SplunkTrust
SplunkTrust

Since the ProjectName and RunID as part of the source/file path is something custom to your requirement, there will not be any readily available table to get you that.

Once this you can try is to run a metadata/tstats search to get list of all sources (for your index/sourcetype of course) and use field extraction to get those values listed/made available for dashboard dropdowns. Following search can give you list of ProjectName adn RunID from the source:-

| tstats count WHRE index=PutYourIndex sourcetype=PutYourSourceType by source | rex field=source "^\/[^\/]+\/(?<ProjectName>[^\/]+)\/(?<RunID>[^\/]+)" | stats count by ProjectName RunID | table ProjectName RunID

Now you can either use the search directly for the dropdown OR setup a scheduled search to write this data into a lookup file and then use the lookup file for the dropdown.

View solution in original post

Beautiful, worked perfectly! Exactly what I needed!

Thank you! 😃

0 Karma