All Apps and Add-ons

Simple XML - Set a custom token issued from inline search within a simple XML dashboard

guilmxm
SplunkTrust
SplunkTrust

Hi,

I would like to able to set a custom token issued from an inline search within a Simple XML dashboard, my goal is to replace the sideview's resultvaluesetter module i'm currently using in Advanced XML.

This search is designed to return the better span value possible depending on timerange selected by the user under the form: span=

I think this can be done using javascript, i have an inline search (called by a macro) that generates the custom token i want to recycle within my view.

There are several examples closed to my goal in Splunk 6 dashboard examples app:

  • custom_app_token
  • custom_rest_token
  • custom_form_multiselect

The custom_app_token javascript code as follows sets an example of custom token:

require(['splunkjs/mvc','splunkjs/mvc/utils','splunkjs/mvc/simplexml/ready!'], function(mvc, utils){
    var unsubmittedTokens = mvc.Components.getInstance('default');
    var submittedTokens = mvc.Components.getInstance('submitted');
    // Set the token $app$ to the name of the current app
    unsubmittedTokens.set('app', utils.getCurrentApp());
    // Set the token $view$ to the name of the current view
    unsubmittedTokens.set('view', utils.getPageInfo().page);

    // Submit the new tokens
    submittedTokens.set(unsubmittedTokens.toJSON());
});

Indeed, i would like the same thing but with the token set by an inline search within the js
I've tried this kind of non working code:

require(['jquery',
    'underscore',
    'splunkjs/mvc',
    'splunkjs/mvc/searchmanager',
    'splunkjs/mvc/simplexml/ready!'], 
    function($, _, mvc, utils, SearchManager){

    var unsubmittedTokens = mvc.Components.getInstance('default');
    var submittedTokens = mvc.Components.getInstance('submitted');

        //Run the search the multi select is looking for
        var spanSearch = new SearchManager({
            "id": "spanSearch",
            "earliest_time": "-1d@d",
            "status_buckets": 0,
            "search": "`my_macro`",
            "cancelOnUnload": true,
            "latest_time": "@d",
            "auto_cancel": 90,
            "preview": true
        }, {tokens: true}); 

    //Set the initial value for the query.
    setspan(submitted.get('span'));   

    // Submit the new tokens
    submittedTokens.set(unsubmittedTokens.toJSON());


    }
);

I don't know how to get the token within the JS and make it available within the view...

Also, i need earliest and latesttime to be set by the TimeRangePicker present within the view, every javascript piece of code i see has time range value set statically within the code and not dynamically by the TimeRangePicker (like done above)

Thank you very much for any help, i think it would be useful for many people to add this kind of case in the Splunk 6 dashboard example custom token section 🙂

1 Solution

guilmxm
SplunkTrust
SplunkTrust

The functional purpose of this is to define a custom span value for searches inside my views, to generate charts as much as accurate as possible, with respect to JS chart limits of points in a chart.

For Simple XML views, i have a macro which at the very end will return a span value:

macros.conf

[inline_customspan(2)]
args = type,hostname
definition = [ search index="nmon" sourcetype="nmon_data" $type$ $hostname$ | head 1 | addinfo\
| eval earliest=if(info_min_time == "0.000", info_search_time,info_min_time)\
| eval latest=if(info_max_time == "+Infinity", info_search_time,info_max_time)\
| eval searchStartTIme=strftime(earliest,"%a %d %B %Y %H:%M")\
| eval searchEndTime=strftime(latest,"%a %d %B %Y %H:%M")\
| eval Difference = (latest - earliest)\
| eval span=case(\
info_min_time == "0.000", "2m",\
Difference > (3000*24*60*60),"4d",\
Difference > (2000*24*60*60),"3d",\
Difference > (1000*24*60*60),"2d",\
Difference > (500*24*60*60),"1d",\
Difference > (333*24*60*60),"12h",\
Difference > (166*24*60*60),"8h",\
Difference > (83*24*60*60),"4h",\
Difference > (41*24*60*60),"2h",\
Difference > (916*60*60),"1h",\
Difference > (833*60*60),"55m",\
Difference > (750*60*60),"50m",\
Difference > (666*60*60),"45m",\
Difference > (583*60*60),"40m",\
Difference > (500*60*60),"35m",\
Difference > (416*60*60),"30m",\
Difference > (333*60*60),"25m",\
Difference > (250*60*60),"20m",\
Difference > (166*60*60),"15m",\
Difference > (83*60*60),"10m",\
Difference > (66*60*60),"5m",\
Difference > (50*60*60),"4m",\
Difference > (33*60*60),"3m",\
Difference > (16*60*60),"2m",\
Difference > (8*60*60),"1m",\
Difference > (2*60*60),"30s",\
Difference <= (2*60*60),"10s"\
)\
| eval spanrestricted=case(\
info_min_time == "0.000", 2*60,\
Difference > (916*60*60),60*60,\
Difference > (833*60*60),55*60,\
Difference > (750*60*60),50*60,\
Difference > (666*60*60),45*60,\
Difference > (583*60*60),40*60,\
Difference > (500*60*60),35*60,\
Difference > (416*60*60),30*60,\
Difference > (333*60*60),25*60,\
Difference > (250*60*60),20*60,\
Difference > (166*60*60),15*60,\
Difference > (83*60*60),10*60,\
Difference > (66*60*60),5*60,\
Difference > (50*60*60),4*60,\
Difference > (33*60*60),180,\
Difference > (16*60*60),"120",\
Difference > (8*60*60),"60",\
Difference > (2*60*60),"30",\
Difference <= (2*60*60),"10"\
)\
| eval span=case(spanrestricted < interval, interval, spanrestricted >= interval, span, isnull(interval), span)\
| return span ]
iseval = 0

Then, in my simple xml views, i call the search like:

index="nmon" sourcetype="nmon_data" type="LPAR" $hostname$ | `$timefilter$` | $indicator$ | $aggregate$ | timechart `inline_customspan(type=LPAR,$hostname$)` limit=0 useother=f $statsmode$(usage) As usage by hostname

For Web framework views:

I have the same macro but without the return statement:

[inline_customspan_django(2)]
args = type,hostname
definition = head 1 | addinfo\
| eval earliest=if(info_min_time == "0.000", info_search_time,info_min_time)\
| eval latest=if(info_max_time == "+Infinity", info_search_time,info_max_time)\
| eval searchStartTIme=strftime(earliest,"%a %d %B %Y %H:%M")\
| eval searchEndTime=strftime(latest,"%a %d %B %Y %H:%M")\
| eval Difference = (latest - earliest)\
| eval span=case(\
info_min_time == "0.000", "2m",\
Difference > (3000*24*60*60),"4d",\
Difference > (2000*24*60*60),"3d",\
Difference > (1000*24*60*60),"2d",\
Difference > (500*24*60*60),"1d",\
Difference > (333*24*60*60),"12h",\
Difference > (166*24*60*60),"8h",\
Difference > (83*24*60*60),"4h",\
Difference > (41*24*60*60),"2h",\
Difference > (916*60*60),"1h",\
Difference > (833*60*60),"55m",\
Difference > (750*60*60),"50m",\
Difference > (666*60*60),"45m",\
Difference > (583*60*60),"40m",\
Difference > (500*60*60),"35m",\
Difference > (416*60*60),"30m",\
Difference > (333*60*60),"25m",\
Difference > (250*60*60),"20m",\
Difference > (166*60*60),"15m",\
Difference > (83*60*60),"10m",\
Difference > (66*60*60),"5m",\
Difference > (50*60*60),"4m",\
Difference > (33*60*60),"3m",\
Difference > (16*60*60),"2m",\
Difference > (8*60*60),"1m",\
Difference > (2*60*60),"30s",\
Difference <= (2*60*60),"10s"\
)\
| eval spanrestricted=case(\
info_min_time == "0.000", 2*60,\
Difference > (916*60*60),60*60,\
Difference > (833*60*60),55*60,\
Difference > (750*60*60),50*60,\
Difference > (666*60*60),45*60,\
Difference > (583*60*60),40*60,\
Difference > (500*60*60),35*60,\
Difference > (416*60*60),30*60,\
Difference > (333*60*60),25*60,\
Difference > (250*60*60),20*60,\
Difference > (166*60*60),15*60,\
Difference > (83*60*60),10*60,\
Difference > (66*60*60),5*60,\
Difference > (50*60*60),4*60,\
Difference > (33*60*60),180,\
Difference > (16*60*60),"120",\
Difference > (8*60*60),"60",\
Difference > (2*60*60),"30",\
Difference <= (2*60*60),"10"\
)\
| eval span=case(spanrestricted < interval, interval, spanrestricted >= interval, span, isnull(interval), span)
iseval = 0

Then, in my web framework views, i first set an input form:

    <tr>
        <td>
                 <p></p>
        <b>Timechart Auto Interval definition:</b>
        </td>
        <td>
        <p></p>
        {% dropdown id="interval-dropdown" managerid="interval-definition" valueField="span" selectFirstChoice="true" showClearButton=false value="$valuesspan$"|token_safe %}  
                 </td>

    </tr>            

Then, the associated searchmanager:

<!-- Interval Definition (span) -->

{% searchmanager
    id="interval-definition" search='index=nmon sourcetype=nmon_data type=TOP hostname=$valueshostname$ | `inline_customspan_django(type=TOP,hostname=$valueshostname$)`'|token_safe
    autostart=True  
    cache=False
    earliest_time="$earlyval$"|token_safe
    latest_time="$lateval$"|token_safe
    auto_cancel=60
    preview=True %}

And finally, the searchmanager wich will use that token:

{% searchmanager 
id="timesearch-cpu" 
search='index=nmon sourcetype=nmon_data type=TOP hostname=$valueshostname$ Command=$valuescommand$ | dedup _time,pct_CPU,PID,Command,hostname | eval limit=(logical_cpus*100) | where pct_CPU<=limit | $valuesincrease$ | stats sum(pct_CPU) As pct_CPU,last(logical_cpus) As logical_cpus by _time,Command | eval conso_per_core=(pct_CPU/100) | stats sum(conso_per_core) As conso_per_core by _time,Command | timechart span=$valuesspan$ useother=f limit=20 $valuesstats$(conso_per_core) as "Usage_per_single_core" by Command'|token_safe 
earliest_time="$earlyval$"|token_safe
latest_time="$lateval$"|token_safe
cache=False
auto_cancel=60
preview=True %}

All that stuff is available within the context of the Nmon Splunk App:

https://apps.splunk.com/app/1753/

View solution in original post

guilmxm
SplunkTrust
SplunkTrust

The functional purpose of this is to define a custom span value for searches inside my views, to generate charts as much as accurate as possible, with respect to JS chart limits of points in a chart.

For Simple XML views, i have a macro which at the very end will return a span value:

macros.conf

[inline_customspan(2)]
args = type,hostname
definition = [ search index="nmon" sourcetype="nmon_data" $type$ $hostname$ | head 1 | addinfo\
| eval earliest=if(info_min_time == "0.000", info_search_time,info_min_time)\
| eval latest=if(info_max_time == "+Infinity", info_search_time,info_max_time)\
| eval searchStartTIme=strftime(earliest,"%a %d %B %Y %H:%M")\
| eval searchEndTime=strftime(latest,"%a %d %B %Y %H:%M")\
| eval Difference = (latest - earliest)\
| eval span=case(\
info_min_time == "0.000", "2m",\
Difference > (3000*24*60*60),"4d",\
Difference > (2000*24*60*60),"3d",\
Difference > (1000*24*60*60),"2d",\
Difference > (500*24*60*60),"1d",\
Difference > (333*24*60*60),"12h",\
Difference > (166*24*60*60),"8h",\
Difference > (83*24*60*60),"4h",\
Difference > (41*24*60*60),"2h",\
Difference > (916*60*60),"1h",\
Difference > (833*60*60),"55m",\
Difference > (750*60*60),"50m",\
Difference > (666*60*60),"45m",\
Difference > (583*60*60),"40m",\
Difference > (500*60*60),"35m",\
Difference > (416*60*60),"30m",\
Difference > (333*60*60),"25m",\
Difference > (250*60*60),"20m",\
Difference > (166*60*60),"15m",\
Difference > (83*60*60),"10m",\
Difference > (66*60*60),"5m",\
Difference > (50*60*60),"4m",\
Difference > (33*60*60),"3m",\
Difference > (16*60*60),"2m",\
Difference > (8*60*60),"1m",\
Difference > (2*60*60),"30s",\
Difference <= (2*60*60),"10s"\
)\
| eval spanrestricted=case(\
info_min_time == "0.000", 2*60,\
Difference > (916*60*60),60*60,\
Difference > (833*60*60),55*60,\
Difference > (750*60*60),50*60,\
Difference > (666*60*60),45*60,\
Difference > (583*60*60),40*60,\
Difference > (500*60*60),35*60,\
Difference > (416*60*60),30*60,\
Difference > (333*60*60),25*60,\
Difference > (250*60*60),20*60,\
Difference > (166*60*60),15*60,\
Difference > (83*60*60),10*60,\
Difference > (66*60*60),5*60,\
Difference > (50*60*60),4*60,\
Difference > (33*60*60),180,\
Difference > (16*60*60),"120",\
Difference > (8*60*60),"60",\
Difference > (2*60*60),"30",\
Difference <= (2*60*60),"10"\
)\
| eval span=case(spanrestricted < interval, interval, spanrestricted >= interval, span, isnull(interval), span)\
| return span ]
iseval = 0

Then, in my simple xml views, i call the search like:

index="nmon" sourcetype="nmon_data" type="LPAR" $hostname$ | `$timefilter$` | $indicator$ | $aggregate$ | timechart `inline_customspan(type=LPAR,$hostname$)` limit=0 useother=f $statsmode$(usage) As usage by hostname

For Web framework views:

I have the same macro but without the return statement:

[inline_customspan_django(2)]
args = type,hostname
definition = head 1 | addinfo\
| eval earliest=if(info_min_time == "0.000", info_search_time,info_min_time)\
| eval latest=if(info_max_time == "+Infinity", info_search_time,info_max_time)\
| eval searchStartTIme=strftime(earliest,"%a %d %B %Y %H:%M")\
| eval searchEndTime=strftime(latest,"%a %d %B %Y %H:%M")\
| eval Difference = (latest - earliest)\
| eval span=case(\
info_min_time == "0.000", "2m",\
Difference > (3000*24*60*60),"4d",\
Difference > (2000*24*60*60),"3d",\
Difference > (1000*24*60*60),"2d",\
Difference > (500*24*60*60),"1d",\
Difference > (333*24*60*60),"12h",\
Difference > (166*24*60*60),"8h",\
Difference > (83*24*60*60),"4h",\
Difference > (41*24*60*60),"2h",\
Difference > (916*60*60),"1h",\
Difference > (833*60*60),"55m",\
Difference > (750*60*60),"50m",\
Difference > (666*60*60),"45m",\
Difference > (583*60*60),"40m",\
Difference > (500*60*60),"35m",\
Difference > (416*60*60),"30m",\
Difference > (333*60*60),"25m",\
Difference > (250*60*60),"20m",\
Difference > (166*60*60),"15m",\
Difference > (83*60*60),"10m",\
Difference > (66*60*60),"5m",\
Difference > (50*60*60),"4m",\
Difference > (33*60*60),"3m",\
Difference > (16*60*60),"2m",\
Difference > (8*60*60),"1m",\
Difference > (2*60*60),"30s",\
Difference <= (2*60*60),"10s"\
)\
| eval spanrestricted=case(\
info_min_time == "0.000", 2*60,\
Difference > (916*60*60),60*60,\
Difference > (833*60*60),55*60,\
Difference > (750*60*60),50*60,\
Difference > (666*60*60),45*60,\
Difference > (583*60*60),40*60,\
Difference > (500*60*60),35*60,\
Difference > (416*60*60),30*60,\
Difference > (333*60*60),25*60,\
Difference > (250*60*60),20*60,\
Difference > (166*60*60),15*60,\
Difference > (83*60*60),10*60,\
Difference > (66*60*60),5*60,\
Difference > (50*60*60),4*60,\
Difference > (33*60*60),180,\
Difference > (16*60*60),"120",\
Difference > (8*60*60),"60",\
Difference > (2*60*60),"30",\
Difference <= (2*60*60),"10"\
)\
| eval span=case(spanrestricted < interval, interval, spanrestricted >= interval, span, isnull(interval), span)
iseval = 0

Then, in my web framework views, i first set an input form:

    <tr>
        <td>
                 <p></p>
        <b>Timechart Auto Interval definition:</b>
        </td>
        <td>
        <p></p>
        {% dropdown id="interval-dropdown" managerid="interval-definition" valueField="span" selectFirstChoice="true" showClearButton=false value="$valuesspan$"|token_safe %}  
                 </td>

    </tr>            

Then, the associated searchmanager:

<!-- Interval Definition (span) -->

{% searchmanager
    id="interval-definition" search='index=nmon sourcetype=nmon_data type=TOP hostname=$valueshostname$ | `inline_customspan_django(type=TOP,hostname=$valueshostname$)`'|token_safe
    autostart=True  
    cache=False
    earliest_time="$earlyval$"|token_safe
    latest_time="$lateval$"|token_safe
    auto_cancel=60
    preview=True %}

And finally, the searchmanager wich will use that token:

{% searchmanager 
id="timesearch-cpu" 
search='index=nmon sourcetype=nmon_data type=TOP hostname=$valueshostname$ Command=$valuescommand$ | dedup _time,pct_CPU,PID,Command,hostname | eval limit=(logical_cpus*100) | where pct_CPU<=limit | $valuesincrease$ | stats sum(pct_CPU) As pct_CPU,last(logical_cpus) As logical_cpus by _time,Command | eval conso_per_core=(pct_CPU/100) | stats sum(conso_per_core) As conso_per_core by _time,Command | timechart span=$valuesspan$ useother=f limit=20 $valuesstats$(conso_per_core) as "Usage_per_single_core" by Command'|token_safe 
earliest_time="$earlyval$"|token_safe
latest_time="$lateval$"|token_safe
cache=False
auto_cancel=60
preview=True %}

All that stuff is available within the context of the Nmon Splunk App:

https://apps.splunk.com/app/1753/

guilmxm
SplunkTrust
SplunkTrust

Hi, yes more or less but yes, for both Simple XML and Web framework views i found a solution.

See my own answer above

0 Karma

jhlopez
Explorer

Hi guilmxm,

Have you find a solution in this issue?

Thanks,

0 Karma

guilmxm
SplunkTrust
SplunkTrust

In simple xml, i can partially achieve this by adding a "return" statement within the macro and use it as a subsearch.

Even if this works, this is quite uncomplete and not as useful as sideview's module

0 Karma

guilmxm
SplunkTrust
SplunkTrust

Hi ! Thanks for answering, you understood the question.

Sideview has a very useful module 'ResultValueSetter" that make the result of search available and downstreamed to any nested module within and advanced xml view.

I'm simply trying to achieve the same thing in Simple xml.

My use context is the following:
- I have a specific macro that issue a quick search to get min and max timerange search from user selection
- depending on its selection, the macro sets a custom span value that will be used by other modules to have the better possible interval

0 Karma

dfoster_splunk
Splunk Employee
Splunk Employee

Not sure I understand the question completely: You have a search that returns one row as a result that you'd like to pull a value out of and put it in a token on the page?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...