Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Overlaying data from multiple devices, or being able to select which device to view?

neilmac64
Path Finder
‎09-05-2022 07:13 AM

Further to my previous post here, which was generously solved by ITWhisperer:

Solved: Help with search to use for dashboard - link key-v... - Splunk Community

My chart looks like this (which is what I wanted to achieve).

neilmac64_0-1662385602169.png

 

My challenge now is to have charts which:

  • have the mac_address as a variable rather than fixed so that it's more flexible
    • can we read this from the index rather than have to type it?
    • I have a dashboard that uses the a hostname in this way (syntax below)
  • show the line from multiple devices - stats from (mac_address_1 AND mac_address_2 AND ... (up to mac_address_x)on the same chart
  • option to drop down menu to choose to display either mac_address_1 OR mac_address_2 OR ... (up to mac_address_x)

Again, any help much appreciated.

NM

Current Search:

| where key="counter_01" AND mac_address="xx:yy:zz:aa:bb:01"
| timechart values(value) by key

 

Sample search which allows me to view via a variable (hostname). Note - this is an unrelated project - I'm just using for illustration:

host=$host_name$ source="xxx"| timechart avg(value 1) as "Avg Value 1" avg(value_2) as "Avg Value 2" by host

One issue I see is that I already have a "by" defined  in this project, which is "by key".

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2022 07:36 AM

You can chart multiple mac_addresses for the same counter like this:

| where key="counter_01"
| timechart values(value) by mac_address

 You could also populate a multi-select dropdown with values from an index search

index=your index
| dedup mac_address
| fields mac_address

For this, you would set <fieldForValue> and <fieldForLabel> to mac_address

<fieldForValue>mac_address</fieldForValue>
<fieldForLabel>mac_address</fieldForLabel>

You don't have to use the same field for both if your search returns something more user friendly

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-05-2022 07:36 AM

You can chart multiple mac_addresses for the same counter like this:

| where key="counter_01"
| timechart values(value) by mac_address

 You could also populate a multi-select dropdown with values from an index search

index=your index
| dedup mac_address
| fields mac_address

For this, you would set <fieldForValue> and <fieldForLabel> to mac_address

<fieldForValue>mac_address</fieldForValue>
<fieldForLabel>mac_address</fieldForLabel>

You don't have to use the same field for both if your search returns something more user friendly

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...