Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Overlaying data from multiple devices, or being able to select which device to view?

neilmac64
Path Finder
‎09-05-2022 07:13 AM

Further to my previous post here, which was generously solved by ITWhisperer:

Solved: Help with search to use for dashboard - link key-v... - Splunk Community

My chart looks like this (which is what I wanted to achieve).

neilmac64_0-1662385602169.png

 

My challenge now is to have charts which:

  • have the mac_address as a variable rather than fixed so that it's more flexible
    • can we read this from the index rather than have to type it?
    • I have a dashboard that uses the a hostname in this way (syntax below)
  • show the line from multiple devices - stats from (mac_address_1 AND mac_address_2 AND ... (up to mac_address_x)on the same chart
  • option to drop down menu to choose to display either mac_address_1 OR mac_address_2 OR ... (up to mac_address_x)

Again, any help much appreciated.

NM

Current Search:

| where key="counter_01" AND mac_address="xx:yy:zz:aa:bb:01"
| timechart values(value) by key

 

Sample search which allows me to view via a variable (hostname). Note - this is an unrelated project - I'm just using for illustration:

host=$host_name$ source="xxx"| timechart avg(value 1) as "Avg Value 1" avg(value_2) as "Avg Value 2" by host

One issue I see is that I already have a "by" defined  in this project, which is "by key".

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2022 07:36 AM

You can chart multiple mac_addresses for the same counter like this:

| where key="counter_01"
| timechart values(value) by mac_address

 You could also populate a multi-select dropdown with values from an index search

index=your index
| dedup mac_address
| fields mac_address

For this, you would set <fieldForValue> and <fieldForLabel> to mac_address

<fieldForValue>mac_address</fieldForValue>
<fieldForLabel>mac_address</fieldForLabel>

You don't have to use the same field for both if your search returns something more user friendly

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2022 07:36 AM

You can chart multiple mac_addresses for the same counter like this:

| where key="counter_01"
| timechart values(value) by mac_address

 You could also populate a multi-select dropdown with values from an index search

index=your index
| dedup mac_address
| fields mac_address

For this, you would set <fieldForValue> and <fieldForLabel> to mac_address

<fieldForValue>mac_address</fieldForValue>
<fieldForLabel>mac_address</fieldForLabel>

You don't have to use the same field for both if your search returns something more user friendly

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...