Splunk Search

How to dynamically utilize the number of field values?


Greetings Everyone!

I'm in need of a second, third, etc. set of eyes. I'm attempting to create a search for a dynamic dropdown that populates a multi-field value based on its correlation to a number of field values in a separate field.

Sample search:

Process=ABC OR Process=EFG OR Process=XYZ
| stats dc(Process) as DCP values(Process) as Process by PROGRAM


PROGRAM ---------------------------------------- DCP ---------------------------------------- Process

Splunk ---------------------------------------- 3 ---------------------------------------- ABC, EFG, XYZ
Windows ---------------------------------------- 3 ---------------------------------------- ABC, EFG, XYZ
Linux ---------------------------------------- 2 ---------------------------------------- ABC, EFG

The desired outcome would be for the dropdown to only populate "Splunk & Windows", which I can accomplish by using something like

| where DCP >=3

However, the dropdown is multi-select and there could be only one "Process" chosen or 10. Therefore, I need the number where the command is to be dependent upon the number of Process values.

Any assistance in resolving this would be greatly appreciated.

1 Solution

Esteemed Legend

Now we are cooking. Based on your new comment, the knowledge that you lack is here:
So let's say your fieldset area has input tokens of process_token and program_token, then you need to add this to your XML:

<eval token="process_count">mvcount(split("$process_token$", " OR "))</eval>

Then you just use this in your search:

... | where DCP>$process_count$

Here is a run-anywhere Proof-of-Concept to demonstrate:

| makeresults 
| eval process_token="((Process=\"ABC\") OR (Process=\"EFG\") OR (Process=\"XYZ\"))", program_token="((PROGRAM=\"Splunk\") OR (PROGRAM=\"Windows\"))"
| eval process_count=mvcount(split($process_token$, " OR "))
| map search="|makeresults 
| eval search=\"index=foo sourcetype=bar (($process_token$) AND ($program_token$))
| stats dc(Process) as DCP values(Process) as Process by PROGRAM
| where DCP>$process_count$\""

Thank you! The only adjustment I had to make was adding an equal sign after the ">" symbol. So basically it's now:

| where DCP>=$process_count$

Thank you again for the assist!!

Esteemed Legend

Your re-statement cracked the case for me. I just was not getting what you needed at first.

Esteemed Legend

Actually, I would change it to use " OR " instead of "OR", just in case a process name happens to contain OR!

Does this work?

 Process=ABC OR Process=EFG OR Process=XYZ
 | stats dc(Process) as DCP values(Process) as Process by PROGRAM
 | eval MVCP=mvcount(Process)
 | stremstats max(MVCP) as MaxMVCP
 | where MaxMVCP=DCP
Thank you for the suggestion, it doesn't solve my dilemma entirely as I still get results for 2 or fewer Processes, when I'm only wanting Processes associated with all three. Nevertheless, this has given me a few new ideas to try, so thank you again for the new perspective.

Esteemed Legend

This is an incomplete description. I do not get it at all. Come back around and give more detail. The way that I understand it, you should just be able to do ... | where PROGRAM="Splunk" OR PROGRAM="Windows" | stats count BY Process | table Process but that is so easy, I am surely not understanding you.

Hi Gregg,

So I have a dashboard w/ two multi-select inputs, the first being Process, and the second being Programs.

For my Process input, I have 10 choices (ABC, DEF, GHI, etc.)

A token from the Process input populates the Programs input via search (see current search below):

Index=foo Process=ABC OR Process=EFG OR Process=XYZ
| stats dc(Process) as DCP values(Process) as Process by PROGRAM
| where DCP >=2
| fields PROGNAME

This search currently returns Programs that are associated with at least two of the processes selected from the first input. However, I'm trying to return only Programs that are associated with all three (or more) processes. With the current search, I could get Programs associated with ABC & XYZ or EFG & XYZ, etc, but what I want are only those associated with all three.

Hence, why I was hoping there is a way to create a token based on the number of "Process Inputs" I select in the first multi-select option, whether it's 2 or all 10 that's what the input numerical value would be for the where command.

"| where DCP >=(2 - 10)"

Esteemed Legend

Now I get it. See my new answer.

