In a stats based on the item selected in the drop ...

macadminrohit · ‎02-20-2018

Hi,

I have a query which does the stats count by ID selected through the drop-down query looks like :

index=servers sourcetype=json Id=* msg="method" OR "disabled" earliest=-60m@m latest=now  | stats count as cnt by _time,msg, Id | head limit=20

I want to display two columns in the panel which display the count when Id=* and when Id=number respectively. Where a number can be any choice from the drop-down.

somesoni2 · ‎02-20-2018

Assuming you're using the Id dropdown token as $id$ in the base search, try like this. This will show id=*on all rows if the Id selected from dropdown was * (all Ids) ,will show Id=selectedId otherwise.

index=servers sourcetype=json Id="$id$" msg="method" OR "disabled" earliest=-60m@m latest=now | eval Id=if("$id$"="*","*",id) | stats count as cnt by _time,msg, Id | head limit=20

macadminrohit · ‎02-20-2018

Thanks, I was thinking to do the same thing but it is displaying * under the column Id.

In a stats based on the item selected in the drop down, how can I display two columns in the panel which display the count when Id=* and when Id=number?

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Splunk Observability for AI

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

Are you a member of the Splunk Community?

In a stats based on the item selected in the drop down, how can I display two columns in the panel which display the count when Id=* and when Id=number?

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Splunk Observability for AI

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler