How to build a query from 2 different multivalue i...

ByteFlinger · ‎11-07-2017

I have a bunch of indexes in the format of <environment>-<machineType>

This is something like test-manager, staging-manager, staging-client

I would like to build a dashboard where the user can select 2 different multi-value inputs, one for the environment and another for the machine type which would then reflect on the graphs themselves.

I can build a dynamic multi-valued input for environment using a query like

| eventcount summarize=false index="*" | rex field=index "(?<environment>.*?)-.*?$" | dedup environment | fields environment

or just a static one, doesn't matter much.

What I am having a hard time with is how do I join the user selections into a search?

An example would be the user selects test and qa for environment and then selects manager for machine type and I am looking for the query to contain something like

index="test-manager" OR index="qa-manager"

How would one go about this?

deepashri_123 · ‎12-12-2017

Hi,

You can try using token prefix and token suffixes as token itself.
For eg. for environment , token suffix will be -$machinetype$ and for machinetype token prefix will be -$environment$.

Hope this helps!!!!!!!

DalJeanis · ‎11-07-2017

There are many ways. Probably the easiest, if the words are all distinct on both sides, is to just have each side wildcarded so that...

(index="test-*" OR index="staging-*" ...) AND (index="*-manager" OR  index="*-client"... )

How to build a query from 2 different multivalue inputs

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms