Dashboards & Visualizations

Change & Condition within a multiselect with token

jmorenog
New Member

The first change condition is working fine but the second one I have where I setting a token with a different value is not.

What I want to do is to change the search query when the value is "All". And when the value has categories add the where to the query 

Let me show what I have:

<input type="multiselect" token="categories" searchWhenChanged="false">
    <label>Select Categories</label>
    <fieldForLabel>category</fieldForLabel>
    <fieldForValue>category</fieldForValue>
    <search>
       <query>index=abc  "allcategories" 
    </search>
<valuePrefix>"</valuePrefix>
<choice value="*">All</choice>
<change>
<condition value="*">
    <set token="search_filter1">index=abc </set>
</condition>
<condition>
    <set token="search_filter1">index=abc  | where category IN ($categories$)</set>
</condition>
</change>
</input>

Then I have a panel like this

<panel>
    <title>Panel by categories</title>
    <table>
      <search>
        <query>$search_filter1$ | stats count by category</query>
      </search>
    </table>
</panel>

 

Labels (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could do something like this:

<input type="multiselect" token="categories" searchWhenChanged="false">
    <label>Select Categories</label>
    <fieldForLabel>category</fieldForLabel>
    <fieldForValue>category</fieldForValue>
    <choice value="All">All</choice>
    <search>
       <query>index=abc  "allcategories"
    </search>
    <prefix>index=abc | where (</prefix>
    <valuePrefix>category="</valuePrefix>
    <valueSuffix>"</valueSuffix>
    <delimiter> OR </delimiter>
    <suffix>)</suffix>
    <change>
       <eval token="form.categories">case(mvcount('form.categories')=0,"All",mvcount('form.categories')&gt;1 AND mvfind('form.categories',"All")&gt;0,"All",mvcount('form.categories')&gt;1 AND mvfind('form.categories',"All")=0,mvfilter('form.categories'!="All"),1==1,'form.categories')</eval>
       <eval token="search_filter1">if(mvfind('form.categories',"All")=0,"index=abc",$categories$)</eval>
   </change>
</input>

Things to note: the static choice of All is first - this is required so that the mvfind will return 0 if All has been selected; the case in the first eval does a number of things, it sets the default to "All", it sets the field to just "All" if "All" is selected when there are other choices selected, it removes "All" if other choices are selected after "All"; the second eval sets the search filter based on whether "All" is at the beginning of the selection; rather than using IN, this builds a set of OR'd comparisons, you could modify it to generate an IN clause if you prefer.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

@jmorenog 

<change> is not officially supported for multiselect inputs, see https://docs.splunk.com/Documentation/Splunk/8.1.4/Viz/PanelreferenceforSimplifiedXML#input_.28form....

I am not sure what will happen with <change> in that context, but your definition of the multiselect only has a valuePrefix, no suffix, delimeter or token prefix/suffix, so not sure what $categories$ will represent when you add/remove options.

 

 

0 Karma

jmorenog
New Member

Thanks for your answer @bowesmana 

Ohh I didn't know change is not support for multiselect. Thanks

I forgot to add those values but here they go:

<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> ,</delimiter>

There are 4 categories: A, B, C, D in the multiselect. If there are categories selected in the input, I want to add to the query "| where category IN ($categories$)". But if is "All" I don't want that statement.

 

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...