cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
shikhanshua
Explorer
Member since: ‎02-07-2022
2 weeks ago
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎02-07-2022
View All

Using a field value twice while building a multi-s...

by in Dashboards & Visualizations
2 weeks ago
2 weeks ago
I have a multi-select like this:     <input token="name" type="multiselect"> <label>Name</label> <choice value="*">ALL</choice> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>name="</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>name</fieldForLabel> <fieldForValue>name</fieldForValue> <search> <query>index=my_index | dedup name | sort name</query> </search> </input>     It correctly produces a token $name$ with value:     (name="VALUE1" OR name="VALUE2" ... )       But I have a need to make the token look like:     (name="VALUE1" OR name="VALUE1.*" OR name="VALUE2" OR name="VALUE2.*" ... )     because if "VALUE1" is selected in the multi-select, I want events that match both "VALUE1" and "VALUE1.*" (note the dot star, not just star).   But I cannot just match "VALUE1*" as that will bring in events that have a different value which BEGINS with "VALUE1" which I don't want.   So the question is - how can I utilize the values TWICE in the token generation? I can't wrap my head around how I might be able to achieve this. ... View more
Labels

Re: stats or tstats latest not working on array fi...

by in Splunk Search
‎04-05-2022 06:57 AM
‎04-05-2022 06:57 AM
In my case, the fields are coming from different kinds of events and I am compiling them together. So can’t do head 1 etc as the latest of one field maybe in an older event, while latest of  another may be in the latest event. Etc.  Thanks for the suggestion though. Definitely useful to do when all the fields are in all events that i am looking at.  ... View more

Why are stats or tstats latest not working on arra...

by in Splunk Search
‎04-01-2022 02:06 PM
‎04-01-2022 02:06 PM
I have events like these (just some made-up data), that are pushed in JSON format to Splunk:       {"name":"abc", "grade":"third", "result": "PASS", "courses":["math","science","literature"], "interests":["this","that"]}       Events are being generated all the time, and I need to get the latest values of "result", "courses" and "interests" for a given "name" and "grade". Note that "courses" and "interests" are lists/arrays, while other fields are strings. So I am doing somethings like:       index=whatever name=abc grade=third | stats latest(courses) as courses, latest(interests) as interests, latest(result) as result index=whatever name=abc grade=third | stats latest(courses{}) as courses, latest(interests{}) as interests, latest(result) as result index=whatever name=abc grade=third | eval courses=json_array_to_mv(courses), interests=json_array_to_mv(interests) | stats latest(courses) as courses, latest(interests) as interests, latest(result) as result         Also tried with "tstats" approach.   None of those work. I get the courses and interests as empty values. result comes in fine, because its a string.   How can I get the "latest" lists of courses and interests given other values? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
2 weeks ago
Karma given to
View All