Splunk Search

How to define a field as a variable inside of the dashboard?

sina_shafaei
Explorer

Hi Guys,

another newbe question, I hope you can help me,
I made a dashboard and now I need to make variables out of fields for nearly all of the fields so this dashboard and it's own searches can be used for other data with the same format, I also need my dashboard to work afterwards. let me explain it in this way, for example here is one of my searces for dashboard:

index=remedy | rex mode=sed field=source "s#/tmp/(.*).csv#\1.0/24#"| search source=$source$|sort -Status|chart count over B1 by Status |addtotals fieldname=total | sort -total | fields - total

I need to define "B1" field as a variable so I could use the same search for other data which B1 field in it is called "C1" (e.g make a variable such Var for B1, which if Var=B1 the result should be the same as it was and for other data set where Var=C1 (or some other value we don't know their name yet) it should give me the result in the same format for B1 )

and also same story for index field (e.g index=remedy in current data set and the index=nmap for other data set)

just for your information, I don't want to rename the field in second data set to B1 since I don't wanna do any changes by myself!
is there any possibility for this? can you please help me?

Thanks a lot in advance

sideview
SplunkTrust
SplunkTrust

I can't tell exactly what you're asking so let me try two guesses:

1) Do you want users to be able to drill down on the table row for a given value of the B1 field in index=remedy, and to search for that value as the value of the C1 field in index=nmap? This is fairly common and fairly easy and falls into the scope of table drilldown.

or

2) Do want to run one report with one set of result that basically stitches information from teh C1 field values in index=nmap, in and among the appropriate values of the index=remedy | chart count over B1 by Status results? ie do you want to augment or add to the main search results using relevant information pulled out and matched up from the index=nmap events? This would be a general question about grouping and your best tool would most likely be the stats command. Very roughly, and only as a rough example: index=remedy OR index=nmap | normalizedBCField=coalesce(B1,C1) | stats values(Status) as Status values(someFieldFromNMap) as someFieldFromNMap by normalizedBCField

0 Karma

krwinters11
Path Finder

Have you considered adding an Input to your dashboard? This would allow you to create a list of all the possible values you would want to use in your search. Then the user can use the drop-down menu (or which ever format you choose) to change the searches in the dashboard. The Token is what you could set as "Var" and then reference it as "$Var$" in any search you want the variable to be used in.
http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Createnewdashboard#Add_an_input_to...
Look at "Add Input to the Dashboard"

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...