Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search the table by the range set of size in the input?

jobamnavarro
Loves-to-Learn Lots
‎07-27-2022 12:22 AM

I want to search file by range of size assigned in the input but I'm not sure how.

Example: I pick 50M in the choices because I want to search files that are having 50M to 199M size.

Input Source:

</input>
<input type="dropdown" token="size_tk">
<label>File Size:</label>
<choice value="*">ALL</choice>
<choice value="50M">50M</choice>
<choice value="200M">200M</choice>
<choice value="500M">500M</choice>
<choice value="1G">1G</choice>
<choice value="2G">2G</choice>
<search>
<query>index=tech_filesystem
| makemv delim="," filesize
| stats count by filesize</query>
<earliest>rt-30s</earliest>
<latest>rt</latest>
</search>
0 Karma
Reply

rrovers
Contributor
‎07-27-2022 04:35 AM

maybe something like this? 

<dashboard>
<label>Test filesize</label>
<fieldset>
<input type="dropdown" token="size_tk_from" searchWhenChanged="true">
<label>File Size from:</label>
<choice value="*">ALL</choice>
<choice value="50000">50M</choice>
<choice value="200000">200M</choice>
<choice value="500000">500M</choice>
<choice value="1000000">1G</choice>
<choice value="2000000">2G</choice>
<fieldForLabel>size</fieldForLabel>
<fieldForValue>size</fieldForValue>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="size_tk_to" searchWhenChanged="true">
<label>File Size to:</label>
<choice value="*">ALL</choice>
<choice value="50000">50M</choice>
<choice value="200000">200M</choice>
<choice value="500000">50M</choice>
<choice value="1000000">1G</choice>
<choice value="2000000">2G</choice>
<fieldForLabel>size</fieldForLabel>
<fieldForValue>size</fieldForValue>
<default>*</default>
<initialValue>*</initialValue>
</input>
</fieldset>
<row>
  <panel>
    <table>
      <search>
        <query>
       <![CDATA[
        index=tech_filesystem
       | makemv delim="," filesize
       | where filesize>$size_tk_from$ AND filesize<$size_tk_to$
       | stats count by filesize
      ]]>
      </query>
     <earliest>rt-1m</earliest>
     <latest>rt</latest>
    </search>
  </table>
  </panel>
</row>
</dashboard>

 

0 Karma
Reply

rrovers
Contributor
‎07-28-2022 12:23 AM

You can use mvexpand to make multiple events from 1 and mvcombine to make 1 event from multiple.

I've used makeresults to be able to check my dashboard. Not exactly what you want but hopefully it wil give you a hint how to solve this.

 

<dashboard>
<label>Test filesize</label>
<fieldset>
<input type="dropdown" token="size_tk_from" searchWhenChanged="true">
<label>File Size from:</label>
<choice value="50000">50M</choice>
<choice value="200000">200M</choice>
<choice value="500000">500M</choice>
<choice value="1000000">1G</choice>
<choice value="2000000">2G</choice>
<fieldForLabel>size</fieldForLabel>
<fieldForValue>size</fieldForValue>
</input>
<input type="dropdown" token="size_tk_to" searchWhenChanged="true">
<label>File Size to:</label>
<choice value="50000">50M</choice>
<choice value="200000">200M</choice>
<choice value="500000">500M</choice>
<choice value="1000000">1G</choice>
<choice value="2000000">2G</choice>
<fieldForLabel>size</fieldForLabel>
<fieldForValue>size</fieldForValue>
</input>
</fieldset>
<row>
  <panel>
    <table>
      <search>
        <query>
       <![CDATA[
       | makeresults 
       | eval filesize="2G,500M,200M,50M,1G" 
       | eval filesize=replace(filesize,"50M","50000") 
       | eval filesize=replace(filesize,"200M","200000") 
       | eval filesize=replace(filesize,"500M","500000") 
       | eval filesize=replace(filesize,"1G","1000000") 
       | eval filesize=replace(filesize,"2G","2000000") 
       | makemv delim="," filesize 
       | mvexpand filesize
       | where filesize>$size_tk_from$ AND filesize<$size_tk_to$
       | table filesize 
       | sort filesize 
       | eval filesize=replace(filesize,"500000","500M") 
       | eval filesize=replace(filesize,"50000","50M") 
       | eval filesize=replace(filesize,"2000000","2G") 
       | eval filesize=replace(filesize,"200000","200M") 
       | eval filesize=replace(filesize,"1000000","1G") 
       | table filesize
      ]]>
      </query>
     <earliest>-1d@d</earliest>
     <latest>@d</latest>
    </search>
  </table>
  </panel>
</row>
</dashboard>

 

 

0 Karma
Reply

jobamnavarro
Loves-to-Learn Lots
‎07-27-2022 08:22 PM

Thank you for your reply. I tried to use your resolution code but still not able to show the output needed. As per checking, the sizes are shown in 1 row. They are just separated by comma that's why their is "| makemv delim="," filesize" in the search string. I would like to ask if their are ways on how to sort the data from a single row?

0 Karma
Reply

rrovers
Contributor
‎07-27-2022 02:58 AM

Maybe I don't understand your question quit right but if you are looking for a list of files between 2 values you could make an extra token and use this search:

index=tech_filesystem
| makemv delim="," filesize
| where filesize>$size_tok_from$ AND filesize<$size_tok_to$
| stats count by filesize

 

0 Karma
Reply

jobamnavarro
Loves-to-Learn Lots
‎07-27-2022 03:30 AM

I tried to update the search string based on your reply but it could not create search.

Screenshot 2022-07-27 182952.png

<input type="dropdown" token="size_tk" searchWhenChanged="true">
<label>File Size:</label>
<choice value="*">ALL</choice>
<choice value="50M">50M</choice>
<choice value="200M">200M</choice>
<choice value="500M">500M</choice>
<choice value="1G">1G</choice>
<choice value="2G">2G</choice>
<search>
<query>index=tech_filesystem
| makemv delim="," filesize
| where filesize&gt;$size_tok_from$ AND filesize&lt;$size_tok_to$
| stats count by filesize</query>
<earliest>rt-1m</earliest>
<latest>rt</latest>
</search>
<fieldForLabel>size</fieldForLabel>
<fieldForValue>size</fieldForValue>
<default>*</default>
<initialValue>*</initialValue>
</input>

 

0 Karma
Reply

rrovers
Contributor
‎07-27-2022 01:27 AM

I think you need to make 2 tokens, size_tok_from and size_tok_to.

In your search add

where filesize>$size_tok_from$ AND filesize<$size_tok_to$
0 Karma
Reply

jobamnavarro
Loves-to-Learn Lots
‎07-27-2022 02:18 AM

Should I use eval if statement to search the file size having 50M to 199M? I attached the sample file sizes in the table filesize below. 

Screenshot 2022-07-27 171434.png
I want to filter the file base on the sizes available in the dropdown.
Screenshot 2022-07-27 171708.png

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...