topic How to select dashboard panel query based on dropdown input selection in Dashboards & Visualizations

How to select dashboard panel query based on dropdown input selection

adamblock2 — Tue, 29 Sep 2020 13:51:57 GMT

I have a dashboard which contains 2 inputs. I have 2 separate queries which would run based on the results of the first input.

< fieldset submitButton="true" autoRun="false">
< input type="dropdown" token="i_criteria">
< label>Search Criteria< /label>
< choice value="message_id">Message ID< /choice>
< choice value="from">Sender< /choice>
< choice value="sender_domain">Sender Domain< /choice>
< choice value="x_mailer">X-mailer< /choice>
< /input >
< input type="text" token="s_value" searchWhenChanged="false">
< label>Search Value< /label>
< /input>

If the user selects Message ID, Sender, or Sender Domain, the first query should run. If the user selects X-mailer, the second query should run.

My first query begins with < query>index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter *$i_criteria$!=x_mailer** $i_criteria$=$s_value|s$ | stats count by internal_message_id, host | fields internal_message_id, host].......................< /query>*

The second query begins with < query>index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter | join message_id [search index=mail eventtype=mail_details **x_mailer=$s_value|s$* | stats count by message_id, x_mailer| fields x_mailer, message_id] | stats count by internal_message_id, host | fields internal_message_id, host]..................< /query>*

Assistance with this will be greatly appreciated.

Re: How to select dashboard panel query based on dropdown input selection

frobinson_splun — Thu, 27 Apr 2017 23:22:41 GMT

Hi @adamblock2,
You can use change and condition elements to set up conditional handling of different input values. You can also use a token to represent the query that should run in either case. Depending on the user selection, set that query token to one or the other search strings in your condition elements.

See http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/tokens#Define_tokens_for_conditional_operations_with_form_inputs

and

http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/tokens#Conditional_operations_with_form_inputs

You can also check out the dashboards examples app for more info:
https://splunkbase.splunk.com/app/1603/

Hope this helps!

Re: How to select dashboard panel query based on dropdown input selection

adamblock2 — Fri, 28 Apr 2017 16:01:28 GMT

I think that I might be missing something.

My dashboard contains

A text input which populates the token "s_value"
A dropdown which populates the token "i_criteria"
A dropdown which populates the token "d_status"

I updated my i_criteria dropdown to include the following:

< change>
        < condition value="x_mailer">
            < set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter | join message_id [search index=mail eventtype=mail_details x_mailer=$s_value|s$ | stats count by message_id, x_mailer| fields x_mailer, message_id] | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer  by internal_message_id, host | join message_id [search index=mail eventtype=mail_details x_mailer=$s_value|s$ | stats count by message_id, x_mailer| fields x_mailer, message_id] | search delivery_status=$d_status$ | table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set>
        < /condition>
        < condition value="message_id">
            < set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter $i_criteria$!=x_mailer $i_criteria$=$s_value|s$ | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer  by internal_message_id, host | search delivery_status=$d_status$ | join type=outer message_id [search index=mail eventtype=mail_details | eval x_mailer=if(x_mailer="","NULL",x_mailer) | stats count by message_id,x_mailer | fields message_id, x_mailer] |table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set>
        < /condition>
        < condition value="from">
            < set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter $i_criteria$!=x_mailer $i_criteria$=$s_value|s$ | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer  by internal_message_id, host | search delivery_status=$d_status$ | join type=outer message_id [search index=mail eventtype=mail_details | eval x_mailer=if(x_mailer="","NULL",x_mailer) | stats count by message_id,x_mailer | fields message_id, x_mailer] |table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set>
        < /condition>
        < condition value="sender_domain">
            < set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter $i_criteria$!=x_mailer $i_criteria$=$s_value|s$ | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer  by internal_message_id, host | search delivery_status=$d_status$ | join type=outer message_id [search index=mail eventtype=mail_details | eval x_mailer=if(x_mailer="","NULL",x_mailer) | stats count by message_id,x_mailer | fields message_id, x_mailer] |table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set>
        < /condition>
        < /change>

I then replaced my query statement with < query>$s_query$< /query>

The query does not run. I receive a message "Search Factory: Unknown search command 's'." In addition, the submit button no longer functions.

Any ideas?

Thank you.

Re: How to select dashboard panel query based on dropdown input selection

aaraneta_splunk — Fri, 28 Apr 2017 16:08:20 GMT

@adamblock2 - Just so you know, there is special markup language on this site so certain symbols will transform your post. If you wrap a word in < or >, without wrapping it in a code sample, it will transform your post. If you wish to show the < > (i.e. you are displaying sample code), simply click on the Code Sample icon to the right of the Blockquote icon in the formatting toolbar.

Re: How to select dashboard panel query based on dropdown input selection

frobinson_splun — Fri, 28 Apr 2017 17:16:25 GMT

Hm. I'll see if I can replicate the issue in my instance. It might have to do with escaping characters or formatting the search string. I'll report back.

Re: How to select dashboard panel query based on dropdown input selection

frobinson_splun — Fri, 28 Apr 2017 18:13:40 GMT

I tried setting up a similar example with test code.

What worked:
a dropdown whose selection is used (as a token) to conditionally set a query string in a panel.

What didn't work:
Combining tokenized selection or input values from a text box and a dropdown in the query. I don't think they are "aware" of input events on each other, so the query is not getting populated with tokenized values from both the dropdown and the text box.

I'll tinker a bit more with my own source code to see if there's something I can suggest.