Splunk Search

How to define a field as a variable inside of the dashboard?


Hi Guys,

another newbe question, I hope you can help me,
I made a dashboard and now I need to make variables out of fields for nearly all of the fields so this dashboard and it's own searches can be used for other data with the same format, I also need my dashboard to work afterwards. let me explain it in this way, for example here is one of my searces for dashboard:

index=remedy | rex mode=sed field=source "s#/tmp/(.*).csv#\1.0/24#"| search source=$source$|sort -Status|chart count over B1 by Status |addtotals fieldname=total | sort -total | fields - total

I need to define "B1" field as a variable so I could use the same search for other data which B1 field in it is called "C1" (e.g make a variable such Var for B1, which if Var=B1 the result should be the same as it was and for other data set where Var=C1 (or some other value we don't know their name yet) it should give me the result in the same format for B1 )

and also same story for index field (e.g index=remedy in current data set and the index=nmap for other data set)

just for your information, I don't want to rename the field in second data set to B1 since I don't wanna do any changes by myself!
is there any possibility for this? can you please help me?

Thanks a lot in advance


I can't tell exactly what you're asking so let me try two guesses:

1) Do you want users to be able to drill down on the table row for a given value of the B1 field in index=remedy, and to search for that value as the value of the C1 field in index=nmap? This is fairly common and fairly easy and falls into the scope of table drilldown.


2) Do want to run one report with one set of result that basically stitches information from teh C1 field values in index=nmap, in and among the appropriate values of the index=remedy | chart count over B1 by Status results? ie do you want to augment or add to the main search results using relevant information pulled out and matched up from the index=nmap events? This would be a general question about grouping and your best tool would most likely be the stats command. Very roughly, and only as a rough example: index=remedy OR index=nmap | normalizedBCField=coalesce(B1,C1) | stats values(Status) as Status values(someFieldFromNMap) as someFieldFromNMap by normalizedBCField

0 Karma

Path Finder

Have you considered adding an Input to your dashboard? This would allow you to create a list of all the possible values you would want to use in your search. Then the user can use the drop-down menu (or which ever format you choose) to change the searches in the dashboard. The Token is what you could set as "Var" and then reference it as "$Var$" in any search you want the variable to be used in.
Look at "Add Input to the Dashboard"

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...