Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Multiselect token not interacting with Chart

MrJohn230
Path Finder
‎10-24-2023 11:50 AM

I have a multiselect that does not interact with my Trellis chart.

I would say; it's not defined in my base search but not sure how to identify the issue and how to fix?

BASE Search:

| eval Pat=spath(json, "Info.Pat.Time")
| eval Con=spath(json, "Info.Con.Time")
| eval Cov=spath(json, "Info.Cov.Time")
| eval Category = RED
| table _time, Pat, Con, Cov, Category

 Mulit-Select:

| eval SysTime = Category + ":" + _time
| fields - Category
| untable SysTime Reason CurationValue
| eval Category = mvindex(split(SysTime, ":"), 0)
| eval _time = mvindex(split(SysTime, ":"), 1)
| fields - SysTime
| table Reason
| dedup Reason

Chart:

| search Category $t_category$ Reason $t_reason$
| timechart span=1h avg(Pat) as Pat, avg(Con) as Con, avg(Cov) as Cov

 

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-25-2023 04:26 AM

What's the definition of your multiselect input - you've only listed the search.

You are using Reason $t_reason$ in your search - but in your chart search, which if it's coming from base search, there is no reason field, so you cannot filter by reason

Is t_category token coming from another input?

If you are using a syntax 

Reason $t_reason$

and your input is a multiselect, then it looks odd that you have "Reason" in the search - is that just searching the raw text for Reason or is that somehow part of a field called Reason?

0 Karma
Reply

MrJohn230
Path Finder
‎10-25-2023 04:58 AM

 I have my base search and Pat, Con and Cov are individual columns. I want those to be the values for my multi-value select. So in my mulit-value select I un-table those columns into rows with the column being Reason. 

 

| table _time, Pat, Con, Cov, Category

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-25-2023 05:22 AM

All your multi-select search is doing (assuming it is based on your base search) is giving you the names of the fields you have described in your base search (Pat, Con and Cov), so why not just hard code them in your multi-select?

If you want to continue using the base search, your multi-select search could be simplified to

| fields - Category
| untable _time Reason CurationValue
| table Reason
| dedup Reason

Having said that, it is still not clear what is not working for you. Do you need something like this?

| search Reason IN ($t_reason$)
0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...