Solved: How to create multiple values in time chart based ...

jialiu907 · ‎05-23-2023

I am looking to have a time chart table that has a dropdown menu based on a token, be able to show all of the values of the dropdown menu in its first option and have it displayed as the default. Each value only shows one line, and I'm looking for all of the lines to populate the chart in the All selection.

This is my current time chart.

This is the current values based on the token.

This is the current search.

index=main host=$token$* sourcetype=syslog process=elcsend "\"config " CentOS 
| rex "([^!]*!){2}(?P<type>[^!]*)!([^!]*!){4}(?P<role>[^!]*)!([^!]*!){23}(?P<vers>[^!]*)"  
| search role=std-dhcp
| eval location=$token|s$
| timechart span=1d count by location

If unable to do that, I am also open to the option of removing the dropdown menu and only having the default time chart showcasing all of the values.

ITWhisperer · ‎05-23-2023

If location is always the first 4 characters of host, then use this

| eval location=substr(host,0,4)

View solution in original post

ITWhisperer · ‎05-23-2023

If location is always the first 4 characters of host, then use this

| eval location=substr(host,0,4)

jialiu907 · ‎05-23-2023

Thank you so much, that worked perfectly!

How to create multiple values in time chart based on dropdown menu token?

rex

timechart

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?