All Apps and Add-ons

Update value of token on change of input

nxtra
Engager

In the definition of my dashboard which I define using SimpeXML I start out by setting a token that relies on other variables. I want to re-evaluate this token when I change one of the input variables in the token.

  <init>
    <set token="baseQuery">
      index=$environment$ logGroup="/aws/lambda/*" 
| transaction traceId startswith=$fromEvent$ endswith=$toEvent$ 
    </set>
  </init>

That is the base query to which I append extra text to get the full query behind each of my dashboards:

  <query>$baseQuery$ | stats </query>

The variables like $fromEvent$ and $toEvent$ are extracted using input elements:

<input type="dropdown" token="fromEvent" searchWhenChanged="true">
      <label>fromEvent</label>
      <choice value="START">START</choice>
      <choice value="FINISH">FINISH</choice>
      <default>SHIPMENT_RECEIVED</default>
 </input>

I'd like the baseQuery to be re-evaluated when I select a new value in my dropdown.
I have tried to add several child elements to the input element but I cannot make it work.

<change>
  <set token="baseQuery"></set>
</change>
<change>
  <set token="baseQuery">$baseQuery$</set>
</change><change>
  <set token="baseQuery">$baseQuery.value$</set>
</change>

But none of them seem to work.

It does work when I set the query again. This causes duplicate code. In reality the query is a lot longer than what you see here. So it is very verbose:

 <change>
    <set token="baseQuery">
      index=$environment$ logGroup="/aws/lambda/*" 
| transaction traceId startswith=$fromEvent$ endswith=$toEvent$ 
</set>
</change>

Is there any way to update the value of the baseQuery token without setting it again as a whole? It should be updated when I change one of the input values.

0 Karma
1 Solution

niketn
Legend

@nxtra, move the code to set the search from <init> section to an independent <search> which should be dependent on all the inputs to be set:

  <search>
    <query>| makeresults
  | fields - _time
  | eval baseQuery=" index=$environment$ logGroup=\"/aws/lambda/*\" | transaction traceId startswith=$fromEvent$ endswith=$toEvent$"
    </query>
    <earliest>-1s</earliest>
    <latest>now</latest>
    <done>
      <set token="tokBaseQuery">$result.baseQuery$</set>
    </done>
  </search>

Following is a run anywhere example that you can try:

<form>
  <label>Update Token on Change of input</label>
  <init>
    <set token="environment">Environment</set>
  </init>
  <fieldset submitButton="false">
   <input type="dropdown" token="fromEvent" searchWhenChanged="true">
      <label>fromEvent</label>
      <choice value="A">Alpha</choice>
      <choice value="B">Beta</choice>
      <default>A</default>
    </input>
    <input type="dropdown" token="toEvent" searchWhenChanged="true">
      <label>toEvent</label>
      <choice value="C">Charlie</choice>
      <choice value="D">Delta</choice>
      <default>C</default>
    </input>
  </fieldset>
  <search>
    <query>| makeresults
  | fields - _time
  | eval baseQuery=" index=$environment$ logGroup=\"/aws/lambda/*\" | transaction traceId startswith=$fromEvent$ endswith=$toEvent$"
    </query>
    <earliest>-1s</earliest>
    <latest>now</latest>
    <done>
      <set token="tokBaseQuery">$result.baseQuery$</set>
    </done>
  </search>
  <row>
    <panel>
      <html>
        tokBaseQuery: $tokBaseQuery$
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@nxtra, move the code to set the search from <init> section to an independent <search> which should be dependent on all the inputs to be set:

  <search>
    <query>| makeresults
  | fields - _time
  | eval baseQuery=" index=$environment$ logGroup=\"/aws/lambda/*\" | transaction traceId startswith=$fromEvent$ endswith=$toEvent$"
    </query>
    <earliest>-1s</earliest>
    <latest>now</latest>
    <done>
      <set token="tokBaseQuery">$result.baseQuery$</set>
    </done>
  </search>

Following is a run anywhere example that you can try:

<form>
  <label>Update Token on Change of input</label>
  <init>
    <set token="environment">Environment</set>
  </init>
  <fieldset submitButton="false">
   <input type="dropdown" token="fromEvent" searchWhenChanged="true">
      <label>fromEvent</label>
      <choice value="A">Alpha</choice>
      <choice value="B">Beta</choice>
      <default>A</default>
    </input>
    <input type="dropdown" token="toEvent" searchWhenChanged="true">
      <label>toEvent</label>
      <choice value="C">Charlie</choice>
      <choice value="D">Delta</choice>
      <default>C</default>
    </input>
  </fieldset>
  <search>
    <query>| makeresults
  | fields - _time
  | eval baseQuery=" index=$environment$ logGroup=\"/aws/lambda/*\" | transaction traceId startswith=$fromEvent$ endswith=$toEvent$"
    </query>
    <earliest>-1s</earliest>
    <latest>now</latest>
    <done>
      <set token="tokBaseQuery">$result.baseQuery$</set>
    </done>
  </search>
  <row>
    <panel>
      <html>
        tokBaseQuery: $tokBaseQuery$
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

nxtra
Engager

That is what I'm looking for. What's the reason you add the | fields - _time part in the query with
<earliest>-1s</earliest> <latest>now</latest> ?

0 Karma

niketn
Legend

makeresults command gives a single row in the above case for us to venerate some dummy data as per our use case.

By default the makeresults command adds _time as current to each row it generates. Since it is not required I have removed. In your case it is not absolutely required to remove _time field as the output of search is not displayed.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

woodcock
Esteemed Legend

None of this should be necessary. Whenever a token changes, everywhere that it is referenced instantaneously changes as well and the things that it is attached to (i.e. a search) will be restarted with the new value in place. That is the whole point. You are trying to reinvent something that already works automatically.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...