Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search the table by the range set of size in the input?

jobamnavarro
Loves-to-Learn Lots
‎07-27-2022 12:22 AM

I want to search file by range of size assigned in the input but I'm not sure how.

Example: I pick 50M in the choices because I want to search files that are having 50M to 199M size.

Input Source:

</input>
<input type="dropdown" token="size_tk">
<label>File Size:</label>
<choice value="*">ALL</choice>
<choice value="50M">50M</choice>
<choice value="200M">200M</choice>
<choice value="500M">500M</choice>
<choice value="1G">1G</choice>
<choice value="2G">2G</choice>
<search>
<query>index=tech_filesystem
| makemv delim="," filesize
| stats count by filesize</query>
<earliest>rt-30s</earliest>
<latest>rt</latest>
</search>
0 Karma
Reply

rrovers
Contributor
‎07-27-2022 04:35 AM

maybe something like this? 

<dashboard>
<label>Test filesize</label>
<fieldset>
<input type="dropdown" token="size_tk_from" searchWhenChanged="true">
<label>File Size from:</label>
<choice value="*">ALL</choice>
<choice value="50000">50M</choice>
<choice value="200000">200M</choice>
<choice value="500000">500M</choice>
<choice value="1000000">1G</choice>
<choice value="2000000">2G</choice>
<fieldForLabel>size</fieldForLabel>
<fieldForValue>size</fieldForValue>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="size_tk_to" searchWhenChanged="true">
<label>File Size to:</label>
<choice value="*">ALL</choice>
<choice value="50000">50M</choice>
<choice value="200000">200M</choice>
<choice value="500000">50M</choice>
<choice value="1000000">1G</choice>
<choice value="2000000">2G</choice>
<fieldForLabel>size</fieldForLabel>
<fieldForValue>size</fieldForValue>
<default>*</default>
<initialValue>*</initialValue>
</input>
</fieldset>
<row>
  <panel>
    <table>
      <search>
        <query>
       <![CDATA[
        index=tech_filesystem
       | makemv delim="," filesize
       | where filesize>$size_tk_from$ AND filesize<$size_tk_to$
       | stats count by filesize
      ]]>
      </query>
     <earliest>rt-1m</earliest>
     <latest>rt</latest>
    </search>
  </table>
  </panel>
</row>
</dashboard>

 

0 Karma
Reply

rrovers
Contributor
‎07-28-2022 12:23 AM

You can use mvexpand to make multiple events from 1 and mvcombine to make 1 event from multiple.

I've used makeresults to be able to check my dashboard. Not exactly what you want but hopefully it wil give you a hint how to solve this.

 

<dashboard>
<label>Test filesize</label>
<fieldset>
<input type="dropdown" token="size_tk_from" searchWhenChanged="true">
<label>File Size from:</label>
<choice value="50000">50M</choice>
<choice value="200000">200M</choice>
<choice value="500000">500M</choice>
<choice value="1000000">1G</choice>
<choice value="2000000">2G</choice>
<fieldForLabel>size</fieldForLabel>
<fieldForValue>size</fieldForValue>
</input>
<input type="dropdown" token="size_tk_to" searchWhenChanged="true">
<label>File Size to:</label>
<choice value="50000">50M</choice>
<choice value="200000">200M</choice>
<choice value="500000">500M</choice>
<choice value="1000000">1G</choice>
<choice value="2000000">2G</choice>
<fieldForLabel>size</fieldForLabel>
<fieldForValue>size</fieldForValue>
</input>
</fieldset>
<row>
  <panel>
    <table>
      <search>
        <query>
       <![CDATA[
       | makeresults 
       | eval filesize="2G,500M,200M,50M,1G" 
       | eval filesize=replace(filesize,"50M","50000") 
       | eval filesize=replace(filesize,"200M","200000") 
       | eval filesize=replace(filesize,"500M","500000") 
       | eval filesize=replace(filesize,"1G","1000000") 
       | eval filesize=replace(filesize,"2G","2000000") 
       | makemv delim="," filesize 
       | mvexpand filesize
       | where filesize>$size_tk_from$ AND filesize<$size_tk_to$
       | table filesize 
       | sort filesize 
       | eval filesize=replace(filesize,"500000","500M") 
       | eval filesize=replace(filesize,"50000","50M") 
       | eval filesize=replace(filesize,"2000000","2G") 
       | eval filesize=replace(filesize,"200000","200M") 
       | eval filesize=replace(filesize,"1000000","1G") 
       | table filesize
      ]]>
      </query>
     <earliest>-1d@d</earliest>
     <latest>@d</latest>
    </search>
  </table>
  </panel>
</row>
</dashboard>

 

 

0 Karma
Reply

jobamnavarro
Loves-to-Learn Lots
‎07-27-2022 08:22 PM

Thank you for your reply. I tried to use your resolution code but still not able to show the output needed. As per checking, the sizes are shown in 1 row. They are just separated by comma that's why their is "| makemv delim="," filesize" in the search string. I would like to ask if their are ways on how to sort the data from a single row?

0 Karma
Reply

rrovers
Contributor
‎07-27-2022 02:58 AM

Maybe I don't understand your question quit right but if you are looking for a list of files between 2 values you could make an extra token and use this search:

index=tech_filesystem
| makemv delim="," filesize
| where filesize>$size_tok_from$ AND filesize<$size_tok_to$
| stats count by filesize

 

0 Karma
Reply

jobamnavarro
Loves-to-Learn Lots
‎07-27-2022 03:30 AM

I tried to update the search string based on your reply but it could not create search.

Screenshot 2022-07-27 182952.png

<input type="dropdown" token="size_tk" searchWhenChanged="true">
<label>File Size:</label>
<choice value="*">ALL</choice>
<choice value="50M">50M</choice>
<choice value="200M">200M</choice>
<choice value="500M">500M</choice>
<choice value="1G">1G</choice>
<choice value="2G">2G</choice>
<search>
<query>index=tech_filesystem
| makemv delim="," filesize
| where filesize&gt;$size_tok_from$ AND filesize&lt;$size_tok_to$
| stats count by filesize</query>
<earliest>rt-1m</earliest>
<latest>rt</latest>
</search>
<fieldForLabel>size</fieldForLabel>
<fieldForValue>size</fieldForValue>
<default>*</default>
<initialValue>*</initialValue>
</input>

 

0 Karma
Reply

rrovers
Contributor
‎07-27-2022 01:27 AM

I think you need to make 2 tokens, size_tok_from and size_tok_to.

In your search add

where filesize>$size_tok_from$ AND filesize<$size_tok_to$
0 Karma
Reply

jobamnavarro
Loves-to-Learn Lots
‎07-27-2022 02:18 AM

Should I use eval if statement to search the file size having 50M to 199M? I attached the sample file sizes in the table filesize below. 

Screenshot 2022-07-27 171434.png
I want to filter the file base on the sizes available in the dropdown.
Screenshot 2022-07-27 171708.png

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...