Re: Change a part of query based on dropdown selec...

karthi25 · ‎02-06-2018

I have a dropdown with values as follows

<choice value="S_M_SCMSA_SUB_TRUEUP">PostPaid Subscriber Data from Samson</choice>
        <choice value="S_M_SCMSA_PCR_PP_SUBSCRIBER_TRUEUP">PrePaid Subscriber through ESP</choice>
        <choice value="S_M_SCMSA_PCR_PP_SUB_FEATURE_TRUEUP">PrePaid Features through ESP</choice>
        <choice value="S_M_SAA_REP_SUBSCRIBER_ACTIVITYe">Subscribers from SAA</choice>
        <choice value="S_M_SAA_REP_PRODUCT_ACTIVITY">Features from SAA</choice>
        <choice value="S_M_SCMSA_POS_TRANS">PoS records in Adapter</choice>
        <choice value="*ADP-ECS~*">File Count to ECS</choice>
        <choice value="*ADP-DCS~*">File Count to DCS</choice>
        <choice value="*ADP-ICM~*">File Count to CCS</choice>
        <choice value="S_M_FILE_SUBACTIVITY_TO_ECS">Subscriber Events to ECS</choice>
        <choice value="S_M_FILE_FEATUREACT_TO_ECS">Feature Events to ECS</choice>
        <choice value="S_M_DCS_SUB_ACTIVITY">Subscriber Events to DCS</choice>
        <choice value="S_M_DCS_FEATURE_ACTIVITY">Feature Events to DCS</choice>

Now I want to change the query based on the selected value ,for Eg:

If the user selects "Prepaid Subscriber Data from Samson" then the query will be

 taskName='S_M_SCMSA_SUB_TRUEUP' status='COMPLETED'| sort -splunkLogId | dedup taskLogId  | eval startDateModified= strptime( startDate, "%Y-%m-%d %H:%M:%S") | eval newDateFromDash = relative_time($dashboardTime.latest$(), "$dashboardTime.earliest$")
     | where startDateModified > newDateFromDash  | eval runDate = strftime(strptime(startDate, "%Y-%m-%d"),"%Y-%m-%d") |chart sum(rowCount) over runDate

and for "PrePaid Features through ESP" the query will be:

taskName='S_M_SCMSA_PCR_PP_SUBSCRIBER_TRUEUP' status='COMPLETED'| sort -splunkLogId | dedup taskLogId  | eval startDateModified= strptime( startDate, "%Y-%m-%d %H:%M:%S") | eval newDateFromDash = relative_time($dashboardTime.latest$(), "$dashboardTime.earliest$")
  | where startDateModified > newDateFromDash  | eval runDate = strftime(strptime(startDate, "%Y-%m-%d"),"%Y-%m-%d") |chart sum(rowCount) over runDate

and the most important if I select "File Count to ECS" , the query will be

taskName='*ADP-ECS~*' status='COMPLETED'| sort -splunkLogId | dedup taskLogId  | eval startDateModified= strptime( startDate, "%Y-%m-%d %H:%M:%S") | eval newDateFromDash = relative_time($dashboardTime.latest$(), "$dashboardTime.earliest$")
  | where startDateModified > newDateFromDash  | eval runDate = strftime(strptime(startDate, "%Y-%m-%d"),"%Y-%m-%d") | chart count over runDate

here we are also changing the part of the query (i.e) for the other options we getting "|chart sum(rowCount) over runDate " but for here we want to only "chart count over runDate"

I know we can do it by using tokens on dropdown change event, But is there any other way to do it, like using if condition or something simpler.Can anyone please help me to do it

493669 · ‎02-06-2018

Try like this:

<form>
  <label>Dropdown</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="sourcetype" searchWhenChanged="true">
      <label>Select a value</label>
      <default>*</default>
       <choice value="S_M_SCMSA_SUB_TRUEUP">PostPaid Subscriber Data from Samson</choice>
         <choice value="S_M_SCMSA_PCR_PP_SUBSCRIBER_TRUEUP">PrePaid Subscriber through ESP</choice>
         <choice value="S_M_SCMSA_PCR_PP_SUB_FEATURE_TRUEUP">PrePaid Features through ESP</choice>
         <choice value="S_M_SAA_REP_SUBSCRIBER_ACTIVITYe">Subscribers from SAA</choice>
         <choice value="S_M_SAA_REP_PRODUCT_ACTIVITY">Features from SAA</choice>
         <choice value="S_M_SCMSA_POS_TRANS">PoS records in Adapter</choice>
         <choice value="*ADP-ECS~*">File Count to ECS</choice>
         <choice value="*ADP-DCS~*">File Count to DCS</choice>
         <choice value="*ADP-ICM~*">File Count to CCS</choice>
         <choice value="S_M_FILE_SUBACTIVITY_TO_ECS">Subscriber Events to ECS</choice>
         <choice value="S_M_FILE_FEATUREACT_TO_ECS">Feature Events to ECS</choice>
         <choice value="S_M_DCS_SUB_ACTIVITY">Subscriber Events to DCS</choice>
         <choice value="S_M_DCS_FEATURE_ACTIVITY">Feature Events to DCS</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <title> test</title>
      <chart>
        <search>
          <query>
          taskName="$sourcetype$" status='COMPLETED'| sort -splunkLogId | dedup taskLogId  | eval startDateModified= strptime( startDate, "%Y-%m-%d %H:%M:%S") | eval newDateFromDash = relative_time($dashboardTime.latest$(), "$dashboardTime.earliest$")
   | where startDateModified > newDateFromDash  | eval runDate = strftime(strptime(startDate, "%Y-%m-%d"),"%Y-%m-%d") | chart count over runDate</query>
          <earliest>-20h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">column</option>
      </chart>
    </panel>
  </row>
</form>

Here in dropdown set token name as here it is "sourcetype" and use this token in your query as $sourcetype$ which will get change as per selection changes and add searchWhenChanged="true" to get change .

karthi25 · ‎02-06-2018

@493669 As posted earlier, For "File Count to ECS" I need to get "chart count over runDate" but for others it would be " chart sum(rowCount) over runDate".

493669 · ‎02-06-2018

ohhk... I misunderstood your question..

Change a part of query based on dropdown selected value

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms