Dashboards & Visualizations

Change a part of query based on dropdown selected value

Path Finder

I have a dropdown with values as follows

<choice value="S_M_SCMSA_SUB_TRUEUP">PostPaid Subscriber Data from Samson</choice>
        <choice value="S_M_SCMSA_PCR_PP_SUBSCRIBER_TRUEUP">PrePaid Subscriber through ESP</choice>
        <choice value="S_M_SCMSA_PCR_PP_SUB_FEATURE_TRUEUP">PrePaid Features through ESP</choice>
        <choice value="S_M_SAA_REP_SUBSCRIBER_ACTIVITYe">Subscribers from SAA</choice>
        <choice value="S_M_SAA_REP_PRODUCT_ACTIVITY">Features from SAA</choice>
        <choice value="S_M_SCMSA_POS_TRANS">PoS records in Adapter</choice>
        <choice value="*ADP-ECS~*">File Count to ECS</choice>
        <choice value="*ADP-DCS~*">File Count to DCS</choice>
        <choice value="*ADP-ICM~*">File Count to CCS</choice>
        <choice value="S_M_FILE_SUBACTIVITY_TO_ECS">Subscriber Events to ECS</choice>
        <choice value="S_M_FILE_FEATUREACT_TO_ECS">Feature Events to ECS</choice>
        <choice value="S_M_DCS_SUB_ACTIVITY">Subscriber Events to DCS</choice>
        <choice value="S_M_DCS_FEATURE_ACTIVITY">Feature Events to DCS</choice>

Now I want to change the query based on the selected value ,for Eg:

If the user selects "Prepaid Subscriber Data from Samson" then the query will be

 taskName='S_M_SCMSA_SUB_TRUEUP' status='COMPLETED'| sort -splunkLogId | dedup taskLogId  | eval startDateModified= strptime( startDate, "%Y-%m-%d %H:%M:%S") | eval newDateFromDash = relative_time($dashboardTime.latest$(), "$dashboardTime.earliest$")
     | where startDateModified > newDateFromDash  | eval runDate = strftime(strptime(startDate, "%Y-%m-%d"),"%Y-%m-%d") |chart sum(rowCount) over runDate 

and for "PrePaid Features through ESP" the query will be:

taskName='S_M_SCMSA_PCR_PP_SUBSCRIBER_TRUEUP' status='COMPLETED'| sort -splunkLogId | dedup taskLogId  | eval startDateModified= strptime( startDate, "%Y-%m-%d %H:%M:%S") | eval newDateFromDash = relative_time($dashboardTime.latest$(), "$dashboardTime.earliest$")
  | where startDateModified > newDateFromDash  | eval runDate = strftime(strptime(startDate, "%Y-%m-%d"),"%Y-%m-%d") |chart sum(rowCount) over runDate 

and the most important if I select "File Count to ECS" , the query will be

taskName='*ADP-ECS~*' status='COMPLETED'| sort -splunkLogId | dedup taskLogId  | eval startDateModified= strptime( startDate, "%Y-%m-%d %H:%M:%S") | eval newDateFromDash = relative_time($dashboardTime.latest$(), "$dashboardTime.earliest$")
  | where startDateModified > newDateFromDash  | eval runDate = strftime(strptime(startDate, "%Y-%m-%d"),"%Y-%m-%d") | chart count over runDate

here we are also changing the part of the query (i.e) for the other options we getting "|chart sum(rowCount) over runDate " but for here we want to only "chart count over runDate"

I know we can do it by using tokens on dropdown change event, But is there any other way to do it, like using if condition or something simpler.Can anyone please help me to do it

0 Karma

Super Champion

Try like this:

<form>
  <label>Dropdown</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="sourcetype" searchWhenChanged="true">
      <label>Select a value</label>
      <default>*</default>
       <choice value="S_M_SCMSA_SUB_TRUEUP">PostPaid Subscriber Data from Samson</choice>
         <choice value="S_M_SCMSA_PCR_PP_SUBSCRIBER_TRUEUP">PrePaid Subscriber through ESP</choice>
         <choice value="S_M_SCMSA_PCR_PP_SUB_FEATURE_TRUEUP">PrePaid Features through ESP</choice>
         <choice value="S_M_SAA_REP_SUBSCRIBER_ACTIVITYe">Subscribers from SAA</choice>
         <choice value="S_M_SAA_REP_PRODUCT_ACTIVITY">Features from SAA</choice>
         <choice value="S_M_SCMSA_POS_TRANS">PoS records in Adapter</choice>
         <choice value="*ADP-ECS~*">File Count to ECS</choice>
         <choice value="*ADP-DCS~*">File Count to DCS</choice>
         <choice value="*ADP-ICM~*">File Count to CCS</choice>
         <choice value="S_M_FILE_SUBACTIVITY_TO_ECS">Subscriber Events to ECS</choice>
         <choice value="S_M_FILE_FEATUREACT_TO_ECS">Feature Events to ECS</choice>
         <choice value="S_M_DCS_SUB_ACTIVITY">Subscriber Events to DCS</choice>
         <choice value="S_M_DCS_FEATURE_ACTIVITY">Feature Events to DCS</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <title> test</title>
      <chart>
        <search>
          <query>
          taskName="$sourcetype$" status='COMPLETED'| sort -splunkLogId | dedup taskLogId  | eval startDateModified= strptime( startDate, "%Y-%m-%d %H:%M:%S") | eval newDateFromDash = relative_time($dashboardTime.latest$(), "$dashboardTime.earliest$")
   | where startDateModified > newDateFromDash  | eval runDate = strftime(strptime(startDate, "%Y-%m-%d"),"%Y-%m-%d") | chart count over runDate</query>
          <earliest>-20h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">column</option>
      </chart>
    </panel>
  </row>
</form>

Here in dropdown set token name as here it is "sourcetype" and use this token in your query as $sourcetype$ which will get change as per selection changes and add searchWhenChanged="true" to get change .

0 Karma

Path Finder

@493669 As posted earlier, For "File Count to ECS" I need to get "chart count over runDate" but for others it would be " chart sum(rowCount) over runDate".

0 Karma

Super Champion

ohhk... I misunderstood your question..

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!