Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Overlaying data from multiple devices, or being able to select which device to view?

neilmac64
Path Finder
‎09-05-2022 07:13 AM

Further to my previous post here, which was generously solved by ITWhisperer:

Solved: Help with search to use for dashboard - link key-v... - Splunk Community

My chart looks like this (which is what I wanted to achieve).

neilmac64_0-1662385602169.png

 

My challenge now is to have charts which:

  • have the mac_address as a variable rather than fixed so that it's more flexible
    • can we read this from the index rather than have to type it?
    • I have a dashboard that uses the a hostname in this way (syntax below)
  • show the line from multiple devices - stats from (mac_address_1 AND mac_address_2 AND ... (up to mac_address_x)on the same chart
  • option to drop down menu to choose to display either mac_address_1 OR mac_address_2 OR ... (up to mac_address_x)

Again, any help much appreciated.

NM

Current Search:

| where key="counter_01" AND mac_address="xx:yy:zz:aa:bb:01"
| timechart values(value) by key

 

Sample search which allows me to view via a variable (hostname). Note - this is an unrelated project - I'm just using for illustration:

host=$host_name$ source="xxx"| timechart avg(value 1) as "Avg Value 1" avg(value_2) as "Avg Value 2" by host

One issue I see is that I already have a "by" defined  in this project, which is "by key".

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2022 07:36 AM

You can chart multiple mac_addresses for the same counter like this:

| where key="counter_01"
| timechart values(value) by mac_address

 You could also populate a multi-select dropdown with values from an index search

index=your index
| dedup mac_address
| fields mac_address

For this, you would set <fieldForValue> and <fieldForLabel> to mac_address

<fieldForValue>mac_address</fieldForValue>
<fieldForLabel>mac_address</fieldForLabel>

You don't have to use the same field for both if your search returns something more user friendly

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2022 07:36 AM

You can chart multiple mac_addresses for the same counter like this:

| where key="counter_01"
| timechart values(value) by mac_address

 You could also populate a multi-select dropdown with values from an index search

index=your index
| dedup mac_address
| fields mac_address

For this, you would set <fieldForValue> and <fieldForLabel> to mac_address

<fieldForValue>mac_address</fieldForValue>
<fieldForLabel>mac_address</fieldForLabel>

You don't have to use the same field for both if your search returns something more user friendly

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...