×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
waleeper
Explorer
Member since: ‎01-30-2020
‎11-29-2021
Community Statistics
Posts 4
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎01-30-2020
Activity Feed
View All

Re: Set multiple tokens using "condition match"

by in Dashboards & Visualizations
‎04-11-2023 08:01 AM
‎04-11-2023 08:01 AM
This seems to work (but still feels like a work around): <form theme="dark" script="simple_xml_examples:showtokens.js"> <init> <set token="field1">off</set> </init> <fieldset submitButton="false"> <input type="checkbox" token="field"> <label>field</label> <choice value="option1">option1</choice> <choice value="option2">option2</choice> <change> <eval token="field1">case(isnotnull(mvfind($form.field$,&quot;option1&quot;)),"option1")</eval> <eval token="field2">case(isnotnull(mvfind($form.field$,&quot;option2&quot;)),"option2")</eval> </change> </input> </fieldset> <search> <query> | makeresults | eval option1=$field1$ </query> <done> <condition match="isnull($field1$)"> <unset token="option1.txt"></unset> </condition> <condition> <set token="option1.txt">$field1$</set> </condition> </done> </search> <search> <query> | makeresults | eval option2=$field2$ </query> <done> <condition match="isnull($field2$)"> <unset token="option2.txt"></unset> </condition> <condition> <set token="option2.txt">$field2$</set> </condition> </done> </search> <row> <panel> <html> <p>$option1.txt$</p> <p>$option2.txt$</p> </html> </panel> </row> </form> Does someone have a better solution? ... View more

Re: Can streamstats reset_before (or reset_after) ...

by in Splunk Search
‎11-29-2021 10:16 AM
‎11-29-2021 10:16 AM
This was the right answer.  This will work for most data sets.  You just need to sort by your aggregates first, then _time.  Be sure to put the 0 in the sort so you don't hit the sort limit. Did this with a massive query and it solved my reset issue. ... View more

Re: How do I transpose a trellis label into a code...

by in Dashboards & Visualizations
‎02-14-2020 12:01 PM
1 Karma
‎02-14-2020 12:01 PM
1 Karma
@waleeper You're real close. Your inputlookup needs to be in a search on its own, that results in exactly the key/value pair needed for the main search. I don't have your lookup file, so I fake one and then bring it to the key/value pair you need to start the real search. Here's the run anywhere example that results in tag::host=sitecode, which you're looking for when Charlotte is entered: | noop | stats count | eval raw=split("sitecity=Charlotte sitecode=clt ; sitecity=NewYork sitecode=nyc ; sitecity=Rochester sitecode=roc",";") | mvexpand raw | rename raw as _raw | extract auto=t | search sitecity="Charlotte" | eval "tag::host"=sitecode | table "tag::host" To use this in brackets in your search, it might look like this: [| inputlookup market-mapping | search sitecity="Charlotte, NC" | eval "tag::host"=sitecode | table "tag::host"] index=data sourcetype=searchdata "string" What's happening here, is the search in the brackets is resolving first. When it runs, the search resolves to: tag::host=clt index=data sourcetype=searchdata "string" ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-29-2021 01:59 PM
Karma given to
View All