Splunk Search

How to dynamically utilize the number of field values?

cquinney
Communicator

Greetings Everyone!

I'm in need of a second, third, etc. set of eyes. I'm attempting to create a search for a dynamic dropdown that populates a multi-field value based on its correlation to a number of field values in a separate field.

Sample search:

Process=ABC OR Process=EFG OR Process=XYZ
| stats dc(Process) as DCP values(Process) as Process by PROGRAM

RESULTS:

PROGRAM ---------------------------------------- DCP ---------------------------------------- Process

Splunk ---------------------------------------- 3 ---------------------------------------- ABC, EFG, XYZ
Windows ---------------------------------------- 3 ---------------------------------------- ABC, EFG, XYZ
Linux ---------------------------------------- 2 ---------------------------------------- ABC, EFG

The desired outcome would be for the dropdown to only populate "Splunk & Windows", which I can accomplish by using something like

| where DCP >=3

However, the dropdown is multi-select and there could be only one "Process" chosen or 10. Therefore, I need the number where the command is to be dependent upon the number of Process values.

Any assistance in resolving this would be greatly appreciated.

0 Karma
1 Solution

woodcock
Esteemed Legend

Now we are cooking. Based on your new comment, the knowledge that you lack is here:
https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#eval
So let's say your fieldset area has input tokens of process_token and program_token, then you need to add this to your XML:

<eval token="process_count">mvcount(split("$process_token$", " OR "))</eval>

Then you just use this in your search:

... | where DCP>$process_count$

Here is a run-anywhere Proof-of-Concept to demonstrate:

| makeresults 
| eval process_token="((Process=\"ABC\") OR (Process=\"EFG\") OR (Process=\"XYZ\"))", program_token="((PROGRAM=\"Splunk\") OR (PROGRAM=\"Windows\"))"
| eval process_count=mvcount(split($process_token$, " OR "))
| map search="|makeresults 
| eval search=\"index=foo sourcetype=bar (($process_token$) AND ($program_token$))
| stats dc(Process) as DCP values(Process) as Process by PROGRAM
| where DCP>$process_count$\""

View solution in original post

0 Karma

woodcock
Esteemed Legend

Now we are cooking. Based on your new comment, the knowledge that you lack is here:
https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#eval
So let's say your fieldset area has input tokens of process_token and program_token, then you need to add this to your XML:

<eval token="process_count">mvcount(split("$process_token$", " OR "))</eval>

Then you just use this in your search:

... | where DCP>$process_count$

Here is a run-anywhere Proof-of-Concept to demonstrate:

| makeresults 
| eval process_token="((Process=\"ABC\") OR (Process=\"EFG\") OR (Process=\"XYZ\"))", program_token="((PROGRAM=\"Splunk\") OR (PROGRAM=\"Windows\"))"
| eval process_count=mvcount(split($process_token$, " OR "))
| map search="|makeresults 
| eval search=\"index=foo sourcetype=bar (($process_token$) AND ($program_token$))
| stats dc(Process) as DCP values(Process) as Process by PROGRAM
| where DCP>$process_count$\""

View solution in original post

0 Karma

cquinney
Communicator

Gregg,

Thank you! The only adjustment I had to make was adding an equal sign after the ">" symbol. So basically it's now:

| where DCP>=$process_count$

Thank you again for the assist!!

woodcock
Esteemed Legend

Your re-statement cracked the case for me. I just was not getting what you needed at first.

0 Karma

woodcock
Esteemed Legend

Actually, I would change it to use " OR " instead of "OR", just in case a process name happens to contain OR!

0 Karma

jkat54
SplunkTrust
SplunkTrust

Does this work?

 Process=ABC OR Process=EFG OR Process=XYZ
 | stats dc(Process) as DCP values(Process) as Process by PROGRAM
 | eval MVCP=mvcount(Process)
 | stremstats max(MVCP) as MaxMVCP
 | where MaxMVCP=DCP
0 Karma

cquinney
Communicator

@jkat54

Thank you for the suggestion, it doesn't solve my dilemma entirely as I still get results for 2 or fewer Processes, when I'm only wanting Processes associated with all three. Nevertheless, this has given me a few new ideas to try, so thank you again for the new perspective.

0 Karma

woodcock
Esteemed Legend

This is an incomplete description. I do not get it at all. Come back around and give more detail. The way that I understand it, you should just be able to do ... | where PROGRAM="Splunk" OR PROGRAM="Windows" | stats count BY Process | table Process but that is so easy, I am surely not understanding you.

0 Karma

cquinney
Communicator

Hi Gregg,

So I have a dashboard w/ two multi-select inputs, the first being Process, and the second being Programs.

For my Process input, I have 10 choices (ABC, DEF, GHI, etc.)

A token from the Process input populates the Programs input via search (see current search below):

Index=foo Process=ABC OR Process=EFG OR Process=XYZ
| stats dc(Process) as DCP values(Process) as Process by PROGRAM
| where DCP >=2
| fields PROGNAME

This search currently returns Programs that are associated with at least two of the processes selected from the first input. However, I'm trying to return only Programs that are associated with all three (or more) processes. With the current search, I could get Programs associated with ABC & XYZ or EFG & XYZ, etc, but what I want are only those associated with all three.

Hence, why I was hoping there is a way to create a token based on the number of "Process Inputs" I select in the first multi-select option, whether it's 2 or all 10 that's what the input numerical value would be for the where command.

"| where DCP >=(2 - 10)"

Thank you

woodcock
Esteemed Legend

Now I get it. See my new answer.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!