Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how can I populate a variable in a table with a search to make several different tables?

Hanneke
New Member
‎11-17-2017 06:50 AM

index=infrastructure_some_index resource_type="This could be variable from a search"
| stats values(endpoint) as "Endpoints" values(resource_type) as "Resource Type" by resource_id

| rename resource_id as "Resource ID"

| table "Resource Type", "Resource ID", "Endpoints"

Hello,
Above is my query. I would like to have several of these tables with resource_type as variable. In the data are now 6 different resource_types but they can be added, so maybe every month one will be added or changed. Is it possible to make as many tables as there are source_types so it would be a dynamical dashboard without any fixed values in the search for source_type?

Example:
Resource_type= 1234
Resource_type Resource ID Endpoints
..... ...... ......

Resource_type= 4567
Resource_type Resource ID Endpoints
..... ...... ......

Resource_type= 6789
Resource_type Resource ID Endpoints
..... ...... ......

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎11-17-2017 08:24 AM

Is this any different from this question of yours?
https://answers.splunk.com/answers/592464/how-do-i-insert-a-list-for-a-dynamical-field.html

0 Karma
Reply

Hanneke
New Member
‎11-20-2017 12:02 AM

No it is the same question. But I accidentally asked it twice. Thanks, I will have a look at your answer.

0 Karma
Reply

niketn
Legend
‎11-20-2017 05:32 AM

@Hanneke, I have closed the other duplicate question.

Can you add the relation between resource_type and resource_id? Is it one to one? If not... you are trying to Split your tables by resource_type and your statistical query seem to split it by resource_id and contains values of resource_type within the aggregate. This seems contradictory to the requirement.

Can you add more details on these two column relationship along with some sample data for the three fields?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

Hanneke
New Member
‎11-22-2017 07:40 AM

The relations are:
resource_type : resource_id = many : 1
resource_id : endpoint = many : 1 (or really close to 1:1 but just not completely)
resource_type : endpoint = many : 1

For now there are 7 resource_types:
Let's call them resource_type1, ... , resource_type7.
For resource_id you can think of something like: resource_idaaa1, ..., resource_idaaa10
resource_idbbb1, ..., resource_idbbb10
etc, with 10 of them belonging to one resource_type.

And for endpoints likewise.

I hope things are kind of clearer now.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-17-2017 07:36 AM

Hi Hanneke,
you have to use subsearches, try something like this

index=infrastructure_some_index [ my_secondary_search | dedup resource_type | fields resource_type ]
| stats values(endpoint) as "Endpoints" values(resource_type) as "Resource Type" by resource_id 
| rename resource_id as "Resource ID" 
| table "Resource Type", "Resource ID", "Endpoints"

Put attention to two things:

  • fieldname "resource_type" must be the same in main and sub search;
  • there could be case problems.

Bye.
Giuseppe

0 Karma
Reply

somesoni2
Revered Legend
‎11-17-2017 07:29 AM

Something like that (dynamically creating panels) is not possible with simple xml dashboards. You have to look at Splunk Web Framework or any third party add-on to implement the same. Have a look at similar posts:

https://answers.splunk.com/answers/287918/how-to-create-a-dashboard-with-dynamic-chartspanel.html
https://answers.splunk.com/answers/504075/create-panels-dynamically-based-on-search-results.html

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...