All Apps and Add-ons
Highlighted

Simple XML - Set a custom token issued from inline search within a simple XML dashboard

SplunkTrust
SplunkTrust

Hi,

I would like to able to set a custom token issued from an inline search within a Simple XML dashboard, my goal is to replace the sideview's resultvaluesetter module i'm currently using in Advanced XML.

This search is designed to return the better span value possible depending on timerange selected by the user under the form: span=

I think this can be done using javascript, i have an inline search (called by a macro) that generates the custom token i want to recycle within my view.

There are several examples closed to my goal in Splunk 6 dashboard examples app:

  • customapptoken
  • customresttoken
  • customformmultiselect

The customapptoken javascript code as follows sets an example of custom token:

require(['splunkjs/mvc','splunkjs/mvc/utils','splunkjs/mvc/simplexml/ready!'], function(mvc, utils){
    var unsubmittedTokens = mvc.Components.getInstance('default');
    var submittedTokens = mvc.Components.getInstance('submitted');
    // Set the token $app$ to the name of the current app
    unsubmittedTokens.set('app', utils.getCurrentApp());
    // Set the token $view$ to the name of the current view
    unsubmittedTokens.set('view', utils.getPageInfo().page);

    // Submit the new tokens
    submittedTokens.set(unsubmittedTokens.toJSON());
});

Indeed, i would like the same thing but with the token set by an inline search within the js
I've tried this kind of non working code:

require(['jquery',
    'underscore',
    'splunkjs/mvc',
    'splunkjs/mvc/searchmanager',
    'splunkjs/mvc/simplexml/ready!'], 
    function($, _, mvc, utils, SearchManager){

    var unsubmittedTokens = mvc.Components.getInstance('default');
    var submittedTokens = mvc.Components.getInstance('submitted');

        //Run the search the multi select is looking for
        var spanSearch = new SearchManager({
            "id": "spanSearch",
            "earliest_time": "-1d@d",
            "status_buckets": 0,
            "search": "`my_macro`",
            "cancelOnUnload": true,
            "latest_time": "@d",
            "auto_cancel": 90,
            "preview": true
        }, {tokens: true}); 

    //Set the initial value for the query.
    setspan(submitted.get('span'));   

    // Submit the new tokens
    submittedTokens.set(unsubmittedTokens.toJSON());


    }
);

I don't know how to get the token within the JS and make it available within the view...

Also, i need earliest and latesttime to be set by the TimeRangePicker present within the view, every javascript piece of code i see has time range value set statically within the code and not dynamically by the TimeRangePicker (like done above)

Thank you very much for any help, i think it would be useful for many people to add this kind of case in the Splunk 6 dashboard example custom token section 🙂

Highlighted

Re: Simple XML - Set a custom token issued from inline search within a simple XML dashboard

Splunk Employee
Splunk Employee

Not sure I understand the question completely: You have a search that returns one row as a result that you'd like to pull a value out of and put it in a token on the page?

0 Karma
Highlighted

Re: Simple XML - Set a custom token issued from inline search within a simple XML dashboard

SplunkTrust
SplunkTrust

Hi ! Thanks for answering, you understood the question.

Sideview has a very useful module 'ResultValueSetter" that make the result of search available and downstreamed to any nested module within and advanced xml view.

I'm simply trying to achieve the same thing in Simple xml.

My use context is the following:
- I have a specific macro that issue a quick search to get min and max timerange search from user selection
- depending on its selection, the macro sets a custom span value that will be used by other modules to have the better possible interval

0 Karma
Highlighted

Re: Simple XML - Set a custom token issued from inline search within a simple XML dashboard

SplunkTrust
SplunkTrust

In simple xml, i can partially achieve this by adding a "return" statement within the macro and use it as a subsearch.

Even if this works, this is quite uncomplete and not as useful as sideview's module

0 Karma
Highlighted

Re: Simple XML - Set a custom token issued from inline search within a simple XML dashboard

Explorer

Hi guilmxm,

Have you find a solution in this issue?

Thanks,

0 Karma
Highlighted

Re: Simple XML - Set a custom token issued from inline search within a simple XML dashboard

SplunkTrust
SplunkTrust

Hi, yes more or less but yes, for both Simple XML and Web framework views i found a solution.

See my own answer above

0 Karma
Highlighted

Re: Simple XML - Set a custom token issued from inline search within a simple XML dashboard

SplunkTrust
SplunkTrust

The functional purpose of this is to define a custom span value for searches inside my views, to generate charts as much as accurate as possible, with respect to JS chart limits of points in a chart.

For Simple XML views, i have a macro which at the very end will return a span value:

macros.conf

[inline_customspan(2)]
args = type,hostname
definition = [ search index="nmon" sourcetype="nmon_data" $type$ $hostname$ | head 1 | addinfo\
| eval earliest=if(info_min_time == "0.000", info_search_time,info_min_time)\
| eval latest=if(info_max_time == "+Infinity", info_search_time,info_max_time)\
| eval searchStartTIme=strftime(earliest,"%a %d %B %Y %H:%M")\
| eval searchEndTime=strftime(latest,"%a %d %B %Y %H:%M")\
| eval Difference = (latest - earliest)\
| eval span=case(\
info_min_time == "0.000", "2m",\
Difference > (3000*24*60*60),"4d",\
Difference > (2000*24*60*60),"3d",\
Difference > (1000*24*60*60),"2d",\
Difference > (500*24*60*60),"1d",\
Difference > (333*24*60*60),"12h",\
Difference > (166*24*60*60),"8h",\
Difference > (83*24*60*60),"4h",\
Difference > (41*24*60*60),"2h",\
Difference > (916*60*60),"1h",\
Difference > (833*60*60),"55m",\
Difference > (750*60*60),"50m",\
Difference > (666*60*60),"45m",\
Difference > (583*60*60),"40m",\
Difference > (500*60*60),"35m",\
Difference > (416*60*60),"30m",\
Difference > (333*60*60),"25m",\
Difference > (250*60*60),"20m",\
Difference > (166*60*60),"15m",\
Difference > (83*60*60),"10m",\
Difference > (66*60*60),"5m",\
Difference > (50*60*60),"4m",\
Difference > (33*60*60),"3m",\
Difference > (16*60*60),"2m",\
Difference > (8*60*60),"1m",\
Difference > (2*60*60),"30s",\
Difference <= (2*60*60),"10s"\
)\
| eval spanrestricted=case(\
info_min_time == "0.000", 2*60,\
Difference > (916*60*60),60*60,\
Difference > (833*60*60),55*60,\
Difference > (750*60*60),50*60,\
Difference > (666*60*60),45*60,\
Difference > (583*60*60),40*60,\
Difference > (500*60*60),35*60,\
Difference > (416*60*60),30*60,\
Difference > (333*60*60),25*60,\
Difference > (250*60*60),20*60,\
Difference > (166*60*60),15*60,\
Difference > (83*60*60),10*60,\
Difference > (66*60*60),5*60,\
Difference > (50*60*60),4*60,\
Difference > (33*60*60),180,\
Difference > (16*60*60),"120",\
Difference > (8*60*60),"60",\
Difference > (2*60*60),"30",\
Difference <= (2*60*60),"10"\
)\
| eval span=case(spanrestricted < interval, interval, spanrestricted >= interval, span, isnull(interval), span)\
| return span ]
iseval = 0

Then, in my simple xml views, i call the search like:

index="nmon" sourcetype="nmon_data" type="LPAR" $hostname$ | `$timefilter$` | $indicator$ | $aggregate$ | timechart `inline_customspan(type=LPAR,$hostname$)` limit=0 useother=f $statsmode$(usage) As usage by hostname

For Web framework views:

I have the same macro but without the return statement:

[inline_customspan_django(2)]
args = type,hostname
definition = head 1 | addinfo\
| eval earliest=if(info_min_time == "0.000", info_search_time,info_min_time)\
| eval latest=if(info_max_time == "+Infinity", info_search_time,info_max_time)\
| eval searchStartTIme=strftime(earliest,"%a %d %B %Y %H:%M")\
| eval searchEndTime=strftime(latest,"%a %d %B %Y %H:%M")\
| eval Difference = (latest - earliest)\
| eval span=case(\
info_min_time == "0.000", "2m",\
Difference > (3000*24*60*60),"4d",\
Difference > (2000*24*60*60),"3d",\
Difference > (1000*24*60*60),"2d",\
Difference > (500*24*60*60),"1d",\
Difference > (333*24*60*60),"12h",\
Difference > (166*24*60*60),"8h",\
Difference > (83*24*60*60),"4h",\
Difference > (41*24*60*60),"2h",\
Difference > (916*60*60),"1h",\
Difference > (833*60*60),"55m",\
Difference > (750*60*60),"50m",\
Difference > (666*60*60),"45m",\
Difference > (583*60*60),"40m",\
Difference > (500*60*60),"35m",\
Difference > (416*60*60),"30m",\
Difference > (333*60*60),"25m",\
Difference > (250*60*60),"20m",\
Difference > (166*60*60),"15m",\
Difference > (83*60*60),"10m",\
Difference > (66*60*60),"5m",\
Difference > (50*60*60),"4m",\
Difference > (33*60*60),"3m",\
Difference > (16*60*60),"2m",\
Difference > (8*60*60),"1m",\
Difference > (2*60*60),"30s",\
Difference <= (2*60*60),"10s"\
)\
| eval spanrestricted=case(\
info_min_time == "0.000", 2*60,\
Difference > (916*60*60),60*60,\
Difference > (833*60*60),55*60,\
Difference > (750*60*60),50*60,\
Difference > (666*60*60),45*60,\
Difference > (583*60*60),40*60,\
Difference > (500*60*60),35*60,\
Difference > (416*60*60),30*60,\
Difference > (333*60*60),25*60,\
Difference > (250*60*60),20*60,\
Difference > (166*60*60),15*60,\
Difference > (83*60*60),10*60,\
Difference > (66*60*60),5*60,\
Difference > (50*60*60),4*60,\
Difference > (33*60*60),180,\
Difference > (16*60*60),"120",\
Difference > (8*60*60),"60",\
Difference > (2*60*60),"30",\
Difference <= (2*60*60),"10"\
)\
| eval span=case(spanrestricted < interval, interval, spanrestricted >= interval, span, isnull(interval), span)
iseval = 0

Then, in my web framework views, i first set an input form:

    <tr>
        <td>
                 <p></p>
        <b>Timechart Auto Interval definition:</b>
        </td>
        <td>
        <p></p>
        {% dropdown id="interval-dropdown" managerid="interval-definition" valueField="span" selectFirstChoice="true" showClearButton=false value="$valuesspan$"|token_safe %}  
                 </td>

    </tr>            

Then, the associated searchmanager:

<!-- Interval Definition (span) -->

{% searchmanager
    id="interval-definition" search='index=nmon sourcetype=nmon_data type=TOP hostname=$valueshostname$ | `inline_customspan_django(type=TOP,hostname=$valueshostname$)`'|token_safe
    autostart=True  
    cache=False
    earliest_time="$earlyval$"|token_safe
    latest_time="$lateval$"|token_safe
    auto_cancel=60
    preview=True %}

And finally, the searchmanager wich will use that token:

{% searchmanager 
id="timesearch-cpu" 
search='index=nmon sourcetype=nmon_data type=TOP hostname=$valueshostname$ Command=$valuescommand$ | dedup _time,pct_CPU,PID,Command,hostname | eval limit=(logical_cpus*100) | where pct_CPU<=limit | $valuesincrease$ | stats sum(pct_CPU) As pct_CPU,last(logical_cpus) As logical_cpus by _time,Command | eval conso_per_core=(pct_CPU/100) | stats sum(conso_per_core) As conso_per_core by _time,Command | timechart span=$valuesspan$ useother=f limit=20 $valuesstats$(conso_per_core) as "Usage_per_single_core" by Command'|token_safe 
earliest_time="$earlyval$"|token_safe
latest_time="$lateval$"|token_safe
cache=False
auto_cancel=60
preview=True %}

All that stuff is available within the context of the Nmon Splunk App:

https://apps.splunk.com/app/1753/

View solution in original post