All Apps and Add-ons

Sideview Utils: How to use the Switcher module to run select PostProcess searches?

redc
Builder

Is it possible to use the Switcher module to run only select PostProcess modules (or only display certain PostProcessor modules' results in a Gate module)?

Here's a sample of code like I'm trying to use:

  <module name="Pulldown" layoutPanel="panel_row1_col1">
    <param name="float">left</param>
    <param name="name">dataSource</param>
    <param name="label">Data Source: </param>
    <param name="staticOptions">
      <list>
        <param name="label">Choose a Data Source</param>
        <param name="value"></param>
        <param name="selected">true</param>
      </list>
      <list>
        <param name="label">Label 1</param>
        <param name="value">value1</param>
      </list>
      <list>
        <param name="label">Label 2</param>
        <param name="value">value2</param>
      </list>
    </param>
    <module name="Switcher" group=" ">
      <param name="selectedGroup">$dataSource$</param>
      <module name="Button">
        <param name="label">Load Results</param>
        <param name="allowSoftSubmit">False</param>
        <param name="allowAutoSubmit">False</param>
        <module name="Search">
          <param name="search"><![CDATA[index="my_index"]]></param>
          <module name="PostProcess" group="value1">
            <param name="search"><![CDATA[ | search param="something" | stats sum(unit) as MB by param]]></param>
            <module name="Gate">
              <param name="to">Gate1</param>
            </module>
          </module>
          <module name="PostProcess" group="value2">
            <param name="search"><![CDATA[ | search param="something-else" | stats sum(unit) as GB by param]]></param>
            <module name="Gate">
              <param name="to">Gate2</param>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>

In this sample, if you select "Label 1" in the Pulldown, then the PostProcess in the group "value1" would be run, but the PostProcess in the group "value2" would not be run. And vice versa.

I'm okay with putting the group on the dashboard panels (the Gate or Pager modules that display the results of the PostProcess searches) instead of the PostProcess modules, if that's how it has to work.

I've tried it on both the PostProcess modules and the Gate and Pager modules, and in all three cases, all of the results load, regardless of what you selected in the Pulldown.

Is what I'm trying to do possible? And if so, what am I missing?

1 Solution

sideview
SplunkTrust
SplunkTrust

I suspect that a better way to achieve your end goal is to use a ValueSetter module with some conditional logic, rather than get into all this complexity with Switcher and Gate. You can read more about ValueSetter's conditional params in the docs (and for working-examples of Sideview XML, look to the hidden view "testcases_for_value_setter_conditionals").

Here is an example though.

<module name="Pulldown" layoutPanel="panel_row1_col1">
  <param name="float">left</param>
  <param name="name">dataSource</param>
  <param name="label">Data Source: </param>
  <param name="staticOptions">
    <list>
      <param name="label">Choose a Data Source</param>
      <param name="value"></param>
      <param name="selected">true</param>
    </list>
    <list>
      <param name="label">Label 1</param>
      <param name="value">value1</param>
    </list>
    <list>
      <param name="label">Label 2</param>
      <param name="value">value2</param>
    </list>
  </param>

  <module name="ValueSetter">
    <param name="name">conditionalPostProcess</param>
    <param name="if.$dataSource$=value1[priority=1]">search param="something" | stats sum(unit) as MB by param</param>
    <param name="if.$dataSource$=value2[priority=2]">search param="somethingElse" | stats sum(unit) as MB by param</param>
    <param name="default">stats count | eval param="error - dataSource had unexpected value - ( $dataSource$ )</param>

    <module name="PostProcess">
      <param name="search"><![CDATA[ $conditionalPostProcess$]]></param>

      ... other modules needing the postprocess'ed results go here...

    </module>
  </module>
</module>

View solution in original post

0 Karma

sideview
SplunkTrust
SplunkTrust

I suspect that a better way to achieve your end goal is to use a ValueSetter module with some conditional logic, rather than get into all this complexity with Switcher and Gate. You can read more about ValueSetter's conditional params in the docs (and for working-examples of Sideview XML, look to the hidden view "testcases_for_value_setter_conditionals").

Here is an example though.

<module name="Pulldown" layoutPanel="panel_row1_col1">
  <param name="float">left</param>
  <param name="name">dataSource</param>
  <param name="label">Data Source: </param>
  <param name="staticOptions">
    <list>
      <param name="label">Choose a Data Source</param>
      <param name="value"></param>
      <param name="selected">true</param>
    </list>
    <list>
      <param name="label">Label 1</param>
      <param name="value">value1</param>
    </list>
    <list>
      <param name="label">Label 2</param>
      <param name="value">value2</param>
    </list>
  </param>

  <module name="ValueSetter">
    <param name="name">conditionalPostProcess</param>
    <param name="if.$dataSource$=value1[priority=1]">search param="something" | stats sum(unit) as MB by param</param>
    <param name="if.$dataSource$=value2[priority=2]">search param="somethingElse" | stats sum(unit) as MB by param</param>
    <param name="default">stats count | eval param="error - dataSource had unexpected value - ( $dataSource$ )</param>

    <module name="PostProcess">
      <param name="search"><![CDATA[ $conditionalPostProcess$]]></param>

      ... other modules needing the postprocess'ed results go here...

    </module>
  </module>
</module>
0 Karma

redc
Builder

I may have oversimplified my example. I can certainly see how this would work for the sample code I posted, though!

In reality, I have multiple PostProcess modules to run for each value of dataSource. I suppose I could add a "delim" parameter to the conditionalPostProcess ValueSetter, and each of the PostProcess search params would then be, $conditionalPostProcess[i]$?

0 Karma

sideview
SplunkTrust
SplunkTrust

That's right. Or you could go the other way and have multiple ValueSetters up top, each with the same conditional logic but creating different keys.

At a certain point, if your use case is super complex, the Gate+Switcher approach may be what you want. However it also may become easier to write/maintain a customBehavior.

In the XML you would have this one module:

<module name="CustomBehavior">
  <param name="name">createCustomKeys</param>
  ....  modules go here ....
</module>

and in application.js the customBehavior's definition would look like:

Sideview.utils.declareCustomBehavior("createCustomKeys", function(module) {
    module.getModifiedContext = function() {
        var context = this.getContext();
        var dataSource = context.get("dataSource");
        if (dataSource=="value1") {
            context.set("postprocessTheFirste", "search param="something" | stats sum(unit) as MB by param");
            context.set("postprocessTheSeconde", "| timechart count");
            context.set("postprocessTheThirde", "| stats count");
        } 
        else if (dataSource=="value2") {
            context.set("postprocessTheFirste", "search param="somethingElse" | stats sum(unit) as MB by param");
            context.set("postprocessTheSeconde", "search param="somethingElse | timechart count by bar");
            context.set("postprocessTheThirde", "search param="somethingElse | chart count over elseness by somethingSomething");
        }
        return context;
    }
});

with it creating various keys, here $postProcessTheFirste$, $postprocessTheSeconde$ and so on and so forth.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...