Archive

I have two macro's depends on text input type hostname it should select the macro dynamically. Using below code

Observer

My Scenario:-

Macro1=USBaseSearch
Macro2= ADBaseSearch
If host=AB* then need to get the data from macro USBaseSearch,( host=C* OR host != AB*) then need to get the data from different macro ADBaseSearch.

UAT

$Prefixhost$_Basesearch($HostName$) | fields *
$TimeSpan.earliest$
$TimeSpan.latest$

<query>`$Prefixhost$_Process($HostName$)` instance=$instance$ | fields *</query>
<earliest>$TimeSpan.earliest$</earliest>
<latest>$TimeSpan.latest$</latest>

<row> 

       <input type="radio" searchWhenChanged="true" token="Enter SID/HostName">

HostName

SID


$SID$
$HostName$


$HostName$
$SID$







UA


CloneGSO


CloneGSO


CloneGSO


CloneGSO


CloneGSO










-4h@m
now




Select Timechart Span:
Select a Span from dropdown to set chart resolution.



Search by Hostname:
Click on a row of "SID to Host Lookup" for Perfmon statistics



<input type="dropdown" depends="$showdebug$" searchWhenChanged="true" token="chartSpan">

1 Minute
5 Minutes
10 Minutes
15 Minutes
30 Minutes
60 Minutes
5m
5m



Enable



SID to Host Lookup


source=Useractivitystats index=wkssummary sourcetype="useractivitystats" SID=$SID$ | convert auto(LastReported) auto(FirstReported) | table orighost SID FirstReported LastReported time | dedup SID orighost sortby -LastReported | sort -LastReported | convert ctime(FirstReported) ctime(LastReported)| rename orighost as HostName
-30d@d
@d

true
true
none

$row.HostName$



US


AD


AD


AD


AD


AD




row
20






CPU Utilization

OverAll
<search base="OverviewData" >
| timechart span=$chartSpan$ avg("%ProcessorTime") as %ProcessorTime, avg("%UserTime") as %UserTime, avg("%PrivilegedTime") as %PrivilegedTime avg("%InterruptTime") as %InterruptTime


Context Switches/Sec

| timechart span=$chartSpan$ Avg(Context_Switches/sec) As "Context Switches/sec"




Tags (1)
0 Karma
1 Solution

Contributor

Hi,

I'm not sure if I can give you the answer that you're looking for, but I might be able to point you in the direction of some places to look.

I think when posting your question, you didn't quite get all the formatting as code so it's a bit broken. No worries, we'll try to figure it out.

Some things to note:

  1. You can't use <fieldset></fieldset> tags within the <drilldown></drilldown> Event Handler.
    Check this out in the docs: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#drilldown

  2. The <condition></condition> element works slightly differently in <drilldown></drilldown>. You can't use it with a match command.
    Have a look here: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#Condition_.28drilldown....

One strategy you could try would be to create an <input type="dropdown"></input> and populate it with a search that lists all of your HostNames

Then you could use <change></change> and <condition></condition> elements to create your Prefixhost token.

Alternatively, if you want to use the <table></table> and <drilldown></drilldown> approach, you could eval the correct Macro Name into the search.

Then when your users click on a row, you can take that Macro Name token and use it to create later searches.

Like this:

alt text

I know that this may not be exactly what you're looking for, but it might spark some ideas.

Finally, if you haven't come across it yet in your Splunk journey, check out the excellent 'Dashboard Examples App' on Splunkbase. Install it on a test system, and use it as a reference for what's possible. You can find it here: https://splunkbase.splunk.com/app/1603/

Best of luck.

Here's the code for that example, which you could paste into a new Dashboard just to see what I mean
(You can ignore the search, that was just to create some data to work with):

<dashboard>
  <label>Test - Table Drilldown</label>
  <row>
    <panel>
      <title>My Data</title>
      <table>
        <search>
          <query>
            <![CDATA[| makeresults 
            | fields - _time 
            | eval HostName=mvappend("CH1234", "/1234", "ATC1234", "L1234", "1CP", "W1234") 
            | mvexpand HostName 
            | eval Time=strftime(time(),"%H:%M:%S %d/%m/%Y"), OtherTime=strftime(time()+121,"%H:%M:%S %d/%m/%Y")
            | eval Environment=case(match(HostName,"^CH.*"),"US_Macro",match(HostName,"^/\d.*|^ATC.*|^L.*|^\dCP.*|^W.*"),"AD_Macro")
            | table HostName Time OtherTime Environment
            ]]>
          </query>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="my.click.name">$click.name$</set>
          <set token="my.click.value">$click.value$</set>
          <set token="my.click.name2">$click.name2$</set>
          <set token="my.click.value2">$click.value2$</set>
          <set token="my.row.hostname">$row.HostName$</set>
          <set token="my.row.time">$row.Time$</set>
          <set token="my.row.othertime">$row.OtherTime$</set>
          <set token="my.row.environment">$row.Environment$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <div>click.name = $my.click.name$</div>
        <div>click.value = $my.click.value$</div>
        <div>click.name2 = $my.click.name2$</div>
        <div>click.value2 = $my.click.value2$</div>
        <div>row.HostName = $my.row.hostname$</div>
        <div>row.Time = $my.row.time$</div>
        <div>row.OtherTime = $my.row.othertime$</div>
        <h3>row.Environment = $my.row.environment$</h3>
        <h3>Run this search: $my.row.environment$_Process($my.row.hostname$)</h3>
      </html>
    </panel>
  </row>
</dashboard>

View solution in original post

0 Karma

Contributor

Hi,

I'm not sure if I can give you the answer that you're looking for, but I might be able to point you in the direction of some places to look.

I think when posting your question, you didn't quite get all the formatting as code so it's a bit broken. No worries, we'll try to figure it out.

Some things to note:

  1. You can't use <fieldset></fieldset> tags within the <drilldown></drilldown> Event Handler.
    Check this out in the docs: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#drilldown

  2. The <condition></condition> element works slightly differently in <drilldown></drilldown>. You can't use it with a match command.
    Have a look here: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#Condition_.28drilldown....

One strategy you could try would be to create an <input type="dropdown"></input> and populate it with a search that lists all of your HostNames

Then you could use <change></change> and <condition></condition> elements to create your Prefixhost token.

Alternatively, if you want to use the <table></table> and <drilldown></drilldown> approach, you could eval the correct Macro Name into the search.

Then when your users click on a row, you can take that Macro Name token and use it to create later searches.

Like this:

alt text

I know that this may not be exactly what you're looking for, but it might spark some ideas.

Finally, if you haven't come across it yet in your Splunk journey, check out the excellent 'Dashboard Examples App' on Splunkbase. Install it on a test system, and use it as a reference for what's possible. You can find it here: https://splunkbase.splunk.com/app/1603/

Best of luck.

Here's the code for that example, which you could paste into a new Dashboard just to see what I mean
(You can ignore the search, that was just to create some data to work with):

<dashboard>
  <label>Test - Table Drilldown</label>
  <row>
    <panel>
      <title>My Data</title>
      <table>
        <search>
          <query>
            <![CDATA[| makeresults 
            | fields - _time 
            | eval HostName=mvappend("CH1234", "/1234", "ATC1234", "L1234", "1CP", "W1234") 
            | mvexpand HostName 
            | eval Time=strftime(time(),"%H:%M:%S %d/%m/%Y"), OtherTime=strftime(time()+121,"%H:%M:%S %d/%m/%Y")
            | eval Environment=case(match(HostName,"^CH.*"),"US_Macro",match(HostName,"^/\d.*|^ATC.*|^L.*|^\dCP.*|^W.*"),"AD_Macro")
            | table HostName Time OtherTime Environment
            ]]>
          </query>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="my.click.name">$click.name$</set>
          <set token="my.click.value">$click.value$</set>
          <set token="my.click.name2">$click.name2$</set>
          <set token="my.click.value2">$click.value2$</set>
          <set token="my.row.hostname">$row.HostName$</set>
          <set token="my.row.time">$row.Time$</set>
          <set token="my.row.othertime">$row.OtherTime$</set>
          <set token="my.row.environment">$row.Environment$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <div>click.name = $my.click.name$</div>
        <div>click.value = $my.click.value$</div>
        <div>click.name2 = $my.click.name2$</div>
        <div>click.value2 = $my.click.value2$</div>
        <div>row.HostName = $my.row.hostname$</div>
        <div>row.Time = $my.row.time$</div>
        <div>row.OtherTime = $my.row.othertime$</div>
        <h3>row.Environment = $my.row.environment$</h3>
        <h3>Run this search: $my.row.environment$_Process($my.row.hostname$)</h3>
      </html>
    </panel>
  </row>
</dashboard>

View solution in original post

0 Karma

Observer

UAT

$Prefixhost$_Basesearch($HostName$) | fields *
$TimeSpan.earliest$
$TimeSpan.latest$

<query>`$Prefixhost$_Process($HostName$)` instance=$instance$ | fields *</query>
<earliest>$TimeSpan.earliest$</earliest>
<latest>$TimeSpan.latest$</latest>




       <input type="radio" searchWhenChanged="true" token="Enter SID/HostName">

HostName

SID


$SID$
$HostName$


$HostName$
$SID$







UA


CloneGSO


CloneGSO


CloneGSO


CloneGSO


CloneGSO










-4h@m
now




Select Timechart Span:
Select a Span from dropdown to set chart resolution.



Search by Hostname:
Click on a row of "SID to Host Lookup" for Perfmon statistics



<input type="dropdown" depends="$showdebug$" searchWhenChanged="true" token="chartSpan">

1 Minute
5 Minutes
10 Minutes
15 Minutes
30 Minutes
60 Minutes
5m
5m



Enable

</panel>
<panel >
  <title>SID to Host Lookup</title>
  <table depends="$SID$">
    <search >
      <query>source=User_activity_stats index=wks_summary sourcetype="user_activity_stats" SID=$SID$ | convert auto(Last_Reported) auto(First_Reported) | table  orig_host  SID  First_Reported Last_Reported _time | dedup SID orig_host sortby -Last_Reported | sort -Last_Reported | convert  ctime(First_Reported) ctime(Last_Reported)| rename orig_host as HostName</query>

      <earliest>-30d@d</earliest>
      <latest>@d</latest>

    </search>
    <option name="wrap">true</option>
    <option name="rowNumbers">true</option>
    <option name="dataOverlayMode">none</option>
    <drilldown>
     <set token="HostName" >$row.HostName$</set>
     <fieldset autoRun="true" submitButton="false">
    <change>
      <condition match="match('row.value',&quot;^CH.*&quot;)">
        <set token="Prefixhost">UA</set>
      </condition>
      <condition match="match('row.value',&quot;^V\d{1,2}\d\d.*&quot;)">
        <set token="Prefixhost">Clone_GSO</set>
      </condition>
      <condition match="match('row.value',&quot;L.*&quot;)">
       <set token="Prefixhost">Clone_GSO</set>
      </condition>
      <condition match="match('row.value',&quot;ATC.*&quot;)">
       <set token="Prefixhost">Clone_GSO</set>
      </condition>
      <condition match="match('row.value',&quot;\dCP.*&quot;)">
        <set token="Prefixhost">Clone_GSO</set>
      </condition>
       <condition match="match('row.value',&quot;W.*&quot;)">
         <set token="Prefixhost">Clone_GSO</set>
      </condition>    
        </change>
         </fieldset>
     <option name="drilldown">row</option>
    <option name="count">20</option>
    </drilldown>
    </table>
          </panel>
      </row>
         <row depends="$HostName$">
<panel>
  <title>CPU Utilization</title>

  <chart id="link1">
    <title>OverAll</title>
    <search base="Overview_Data" >
      <query> | timechart span=$chartSpan$ avg("%_Processor_Time") as %_Processor_Time, avg("%_User_Time") as %_User_Time, avg("%_Privileged_Time") as %_Privileged_Time avg("%_Interrupt_Time") as %_Interrupt_Time</query>
    </search>

  <chart id="link35">
    <title>Context Switches/Sec</title>
    <search base="Overview_Data" >
      <query> | timechart span=$chartSpan$ Avg(Context_Switches/sec) As "Context Switches/sec"</query>
    </search>

  </chart>
  </panel>
  </row>
  </form>
0 Karma