All Apps and Add-ons

Update value of token on change of input

Engager

In the definition of my dashboard which I define using SimpeXML I start out by setting a token that relies on other variables. I want to re-evaluate this token when I change one of the input variables in the token.

  <init>
    <set token="baseQuery">
      index=$environment$ logGroup="/aws/lambda/*" 
| transaction traceId startswith=$fromEvent$ endswith=$toEvent$ 
    </set>
  </init>

That is the base query to which I append extra text to get the full query behind each of my dashboards:

  <query>$baseQuery$ | stats </query>

The variables like $fromEvent$ and $toEvent$ are extracted using input elements:

<input type="dropdown" token="fromEvent" searchWhenChanged="true">
      <label>fromEvent</label>
      <choice value="START">START</choice>
      <choice value="FINISH">FINISH</choice>
      <default>SHIPMENT_RECEIVED</default>
 </input>

I'd like the baseQuery to be re-evaluated when I select a new value in my dropdown.
I have tried to add several child elements to the input element but I cannot make it work.

<change>
  <set token="baseQuery"></set>
</change>
<change>
  <set token="baseQuery">$baseQuery$</set>
</change><change>
  <set token="baseQuery">$baseQuery.value$</set>
</change>

But none of them seem to work.

It does work when I set the query again. This causes duplicate code. In reality the query is a lot longer than what you see here. So it is very verbose:

 <change>
    <set token="baseQuery">
      index=$environment$ logGroup="/aws/lambda/*" 
| transaction traceId startswith=$fromEvent$ endswith=$toEvent$ 
</set>
</change>

Is there any way to update the value of the baseQuery token without setting it again as a whole? It should be updated when I change one of the input values.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

@nxtra, move the code to set the search from <init> section to an independent <search> which should be dependent on all the inputs to be set:

  <search>
    <query>| makeresults
  | fields - _time
  | eval baseQuery=" index=$environment$ logGroup=\"/aws/lambda/*\" | transaction traceId startswith=$fromEvent$ endswith=$toEvent$"
    </query>
    <earliest>-1s</earliest>
    <latest>now</latest>
    <done>
      <set token="tokBaseQuery">$result.baseQuery$</set>
    </done>
  </search>

Following is a run anywhere example that you can try:

<form>
  <label>Update Token on Change of input</label>
  <init>
    <set token="environment">Environment</set>
  </init>
  <fieldset submitButton="false">
   <input type="dropdown" token="fromEvent" searchWhenChanged="true">
      <label>fromEvent</label>
      <choice value="A">Alpha</choice>
      <choice value="B">Beta</choice>
      <default>A</default>
    </input>
    <input type="dropdown" token="toEvent" searchWhenChanged="true">
      <label>toEvent</label>
      <choice value="C">Charlie</choice>
      <choice value="D">Delta</choice>
      <default>C</default>
    </input>
  </fieldset>
  <search>
    <query>| makeresults
  | fields - _time
  | eval baseQuery=" index=$environment$ logGroup=\"/aws/lambda/*\" | transaction traceId startswith=$fromEvent$ endswith=$toEvent$"
    </query>
    <earliest>-1s</earliest>
    <latest>now</latest>
    <done>
      <set token="tokBaseQuery">$result.baseQuery$</set>
    </done>
  </search>
  <row>
    <panel>
      <html>
        tokBaseQuery: $tokBaseQuery$
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

SplunkTrust
SplunkTrust

@nxtra, move the code to set the search from <init> section to an independent <search> which should be dependent on all the inputs to be set:

  <search>
    <query>| makeresults
  | fields - _time
  | eval baseQuery=" index=$environment$ logGroup=\"/aws/lambda/*\" | transaction traceId startswith=$fromEvent$ endswith=$toEvent$"
    </query>
    <earliest>-1s</earliest>
    <latest>now</latest>
    <done>
      <set token="tokBaseQuery">$result.baseQuery$</set>
    </done>
  </search>

Following is a run anywhere example that you can try:

<form>
  <label>Update Token on Change of input</label>
  <init>
    <set token="environment">Environment</set>
  </init>
  <fieldset submitButton="false">
   <input type="dropdown" token="fromEvent" searchWhenChanged="true">
      <label>fromEvent</label>
      <choice value="A">Alpha</choice>
      <choice value="B">Beta</choice>
      <default>A</default>
    </input>
    <input type="dropdown" token="toEvent" searchWhenChanged="true">
      <label>toEvent</label>
      <choice value="C">Charlie</choice>
      <choice value="D">Delta</choice>
      <default>C</default>
    </input>
  </fieldset>
  <search>
    <query>| makeresults
  | fields - _time
  | eval baseQuery=" index=$environment$ logGroup=\"/aws/lambda/*\" | transaction traceId startswith=$fromEvent$ endswith=$toEvent$"
    </query>
    <earliest>-1s</earliest>
    <latest>now</latest>
    <done>
      <set token="tokBaseQuery">$result.baseQuery$</set>
    </done>
  </search>
  <row>
    <panel>
      <html>
        tokBaseQuery: $tokBaseQuery$
      </html>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Engager

That is what I'm looking for. What's the reason you add the | fields - _time part in the query with
<earliest>-1s</earliest> <latest>now</latest> ?

0 Karma

SplunkTrust
SplunkTrust

makeresults command gives a single row in the above case for us to venerate some dummy data as per our use case.

By default the makeresults command adds _time as current to each row it generates. Since it is not required I have removed. In your case it is not absolutely required to remove _time field as the output of search is not displayed.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Esteemed Legend

None of this should be necessary. Whenever a token changes, everywhere that it is referenced instantaneously changes as well and the things that it is attached to (i.e. a search) will be restarted with the new value in place. That is the whole point. You are trying to reinvent something that already works automatically.

0 Karma