- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How can I use a source folder as a input token...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi guys!
I have a bunch of test data in JSON files as my sources and they're structured in the following way:
"/MyFolder/ProjectName/RunID/jsonFile" such as for example "/MyFolder/test1/47/ErrorMessages.json".
I want to populate two drop down menus in my dashboards with ProjectName and RunID.
So that the first drop down get populated with Project names that the user can select. I then use this selection as a token in the second drop down menu and populate it with all the runs for that project. I now have two tokens that I can use for searching.
How can I best go about this? If there's a search I can do directly in Splunk to table all the project names and RunIDs this would of course be the easiest and most ideal. Otherwise I guess I'd have to start looking into creating a regEx or a lookup, but I'm not very proficient at those =p
Any help is greatly appreciated!
Thanks you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Since the ProjectName and RunID as part of the source/file path is something custom to your requirement, there will not be any readily available table to get you that.
Once this you can try is to run a metadata/tstats search to get list of all sources (for your index/sourcetype of course) and use field extraction to get those values listed/made available for dashboard dropdowns. Following search can give you list of ProjectName adn RunID from the source:-
| tstats count WHRE index=PutYourIndex sourcetype=PutYourSourceType by source | rex field=source "^\/[^\/]+\/(?<ProjectName>[^\/]+)\/(?<RunID>[^\/]+)" | stats count by ProjectName RunID | table ProjectName RunID
Now you can either use the search directly for the dropdown OR setup a scheduled search to write this data into a lookup file and then use the lookup file for the dropdown.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
do you want something like this?
| rex field=source "\/(?P[^\/]+)\/(?P[^\/]+)\/(?P[^\/]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Since the ProjectName and RunID as part of the source/file path is something custom to your requirement, there will not be any readily available table to get you that.
Once this you can try is to run a metadata/tstats search to get list of all sources (for your index/sourcetype of course) and use field extraction to get those values listed/made available for dashboard dropdowns. Following search can give you list of ProjectName adn RunID from the source:-
| tstats count WHRE index=PutYourIndex sourcetype=PutYourSourceType by source | rex field=source "^\/[^\/]+\/(?<ProjectName>[^\/]+)\/(?<RunID>[^\/]+)" | stats count by ProjectName RunID | table ProjectName RunID
Now you can either use the search directly for the dropdown OR setup a scheduled search to write this data into a lookup file and then use the lookup file for the dropdown.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Beautiful, worked perfectly! Exactly what I needed!
Thank you! 😃
Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!
Catch Up Now >>
