Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

In a stats based on the item selected in the drop down, how can I display two columns in the panel which display the count when Id=* and when Id=number?

macadminrohit
Contributor
‎02-20-2018 01:59 PM

Hi,

I have a query which does the stats count by ID selected through the drop-down query looks like :

index=servers sourcetype=json Id=* msg="method" OR "disabled" earliest=-60m@m latest=now  | stats count as cnt by _time,msg, Id | head limit=20

I want to display two columns in the panel which display the count when Id=* and when Id=number respectively. Where a number can be any choice from the drop-down.

0 Karma
Reply

somesoni2
Revered Legend
‎02-20-2018 02:12 PM

Assuming you're using the Id dropdown token as $id$ in the base search, try like this. This will show id=*on all rows if the Id selected from dropdown was * (all Ids) ,will show Id=selectedId otherwise.

index=servers sourcetype=json Id="$id$" msg="method" OR "disabled" earliest=-60m@m latest=now | eval Id=if("$id$"="*","*",id) | stats count as cnt by _time,msg, Id | head limit=20
0 Karma
Reply

macadminrohit
Contributor
‎02-20-2018 05:22 PM

Thanks, I was thinking to do the same thing but it is displaying * under the column Id.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...