- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- using multiselect to concatenate fields into a com...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a dashboard where the user can select multiple in a multiselect input field. Those values correspond to column in a splunk table. We want to be able to concatenate those columns, based on selection, so that we can easily chart the timeseries. We are struggling to get the dynamic list resolved in SPL to concatenate the fields.
multiselect options -
Host
Environment
Node Group
etc...
If we select all three, we want to create a new field in each row of the data that contains the 'Host':'Environment':'Node Group'. Sort of like creating a compound key for that summary row. The next user might select 'Node Group':'Environment'. Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Answering my own question on this one...
A simple delimiter of +":"+ on the multiselect input did the trick.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Answering my own question on this one...
A simple delimiter of +":"+ on the multiselect input did the trick.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for trying but neither examples work for us. here is the exact query. The idea is to use the multiselect on a dashboard to replace what is currently a static list. The example below highlights one static selection ('host'+ ":"+ 'assetGroup').
| tstats max("CPU.lpar_vp_usage") AS vp_usage max("CPU.cpu_PCT") AS pct_usage values(CPU.assetGroup) AS assetGroup values(CPU.assetAreaName) AS assetAreaName values(CPU.assetName) AS assetName values(CPU.assetColor) AS assetColor values(CPU.nodeType) AS nodeType values(CPU.nodeGroup) AS nodeGroup values(CPU.cluster) AS cluster values(CPU.awsAutoScalingGroupId) AS awsAutoScalingGroupId
from datamodel=NMON_Data_CPU
where (nodename = CPU) (CPU.type="CPU_ALL" OR CPU.type="LPAR") (host="")
by _time, host, CPU.assetGroup, CPU.assetAreaName, CPU.assetName span=1m
| search (assetGroup="prod") (assetAreaName ="") (assetName ="USA") (assetColor = "") (nodeType="") (nodeGroup="") (cluster ="") (awsAutoScalingGroupId="*")
| eval dd1='host'+ ":"+ 'assetGroup'
| stats dedup_splitvals=t max("pct_usage") AS pct_usage by _time, host, assetGroup, assetAreaName, assetName, dd1
| eval usage=if(isnum(vp_usage), vp_usage, pct_usage)
| timechart useother=f limit=0 avg(usage) AS "CPU usage" by dd1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mschellhouse , can you try this please:
<fieldset submitButton="false">
<input type="multiselect" token="field1">
<label>field1</label>
<choice value="Host">Host</choice>
<choice value="Environment">Environment</choice>
<choice value="Node Group">Node Group</choice>
<delimiter>:</delimiter>
<valuePrefix>'</valuePrefix>
<valueSuffix>'</valueSuffix>
</input>
</fieldset>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you use a regex, you might be able to do something. The regex below is saying that the input itself is input=Environment OR input=....
|makeresults|eval input="$token$"|rex field=input mode=sed "s/ OR input=/':'/g"|rex field=input mode=sed "s/input=|$/'/g"
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
