Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Overlaying data from multiple devices, or being able to select which device to view?

neilmac64
Path Finder
‎09-05-2022 07:13 AM

Further to my previous post here, which was generously solved by ITWhisperer:

Solved: Help with search to use for dashboard - link key-v... - Splunk Community

My chart looks like this (which is what I wanted to achieve).

neilmac64_0-1662385602169.png

 

My challenge now is to have charts which:

  • have the mac_address as a variable rather than fixed so that it's more flexible
    • can we read this from the index rather than have to type it?
    • I have a dashboard that uses the a hostname in this way (syntax below)
  • show the line from multiple devices - stats from (mac_address_1 AND mac_address_2 AND ... (up to mac_address_x)on the same chart
  • option to drop down menu to choose to display either mac_address_1 OR mac_address_2 OR ... (up to mac_address_x)

Again, any help much appreciated.

NM

Current Search:

| where key="counter_01" AND mac_address="xx:yy:zz:aa:bb:01"
| timechart values(value) by key

 

Sample search which allows me to view via a variable (hostname). Note - this is an unrelated project - I'm just using for illustration:

host=$host_name$ source="xxx"| timechart avg(value 1) as "Avg Value 1" avg(value_2) as "Avg Value 2" by host

One issue I see is that I already have a "by" defined  in this project, which is "by key".

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2022 07:36 AM

You can chart multiple mac_addresses for the same counter like this:

| where key="counter_01"
| timechart values(value) by mac_address

 You could also populate a multi-select dropdown with values from an index search

index=your index
| dedup mac_address
| fields mac_address

For this, you would set <fieldForValue> and <fieldForLabel> to mac_address

<fieldForValue>mac_address</fieldForValue>
<fieldForLabel>mac_address</fieldForLabel>

You don't have to use the same field for both if your search returns something more user friendly

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2022 07:36 AM

You can chart multiple mac_addresses for the same counter like this:

| where key="counter_01"
| timechart values(value) by mac_address

 You could also populate a multi-select dropdown with values from an index search

index=your index
| dedup mac_address
| fields mac_address

For this, you would set <fieldForValue> and <fieldForLabel> to mac_address

<fieldForValue>mac_address</fieldForValue>
<fieldForLabel>mac_address</fieldForLabel>

You don't have to use the same field for both if your search returns something more user friendly

Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...