Dashboards & Visualizations

Conditional token usage

tomapatan
Communicator

I`ve got 2 base searches: 

 

 

<search id="Night">

 

 

and 

 

 

<search id="Day">

 

 

 And a dropdown input:

 

 

    <input type="dropdown" token="shift_tok" searchWhenChanged="true">
      <label>Shift:</label>
      <choice value="Day">Day</choice>
      <choice value="Night">Night</choice>
      <default>Day</default>
      <initialValue>Day</initialValue>
    </input>

 

 

 I need to find a way to reference the base searches, depending on the input provided by the user.

I was hoping to use a token to reference the base searches, but donesn`t seem to be working:

 

 

<row>
    <panel>
      <title>Timeline</title>
      <table>
        <title>$shift_tok$</title>
        <search base="$Shift_tok$">
          <query>| table Date Shift Timeline "Hourly details of shift"</query>
        </search>
        <option name="count">13</option>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Looks like init blocks happen too early, so try adding a hidden row/panel like this

  <row depends="$alwaysHidden$">
    <panel>
      <table>
        <search>
          <query>| makeresults | eval sid1="$SID1$", sid2="$SID2$"</query>
          <done>
            <set token="selected_shift">$result.sid1$</set>
          </done>
        </search>
      </table>
    </panel>
  </row>

You will notice that you still get waiting for input initially but after a short time the panel will display with the initial search results. If you want to get really fancy, you could change the search in the hidden panel to take the current time into account and set the default / initial dataset accordingly.

View solution in original post

tomapatan
Communicator

Amazing, worked exactly as you explained it will.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Assuming it is not simple a typo and case does matter (Shift_tok is not the same as shift_tok), then you could try setting a different token in the done handler of each of your two bases with the job.sid, then use the change handler of the dropdown to copy the relevant sid token value into a token which you use in your search with the loadjob command

0 Karma

tomapatan
Communicator

Thanks for getting back to me.

This is what I`ve done:
 - base searches:

 <search id="Night">
    <query>...</query>
    <done>
      <set token="SID1">$job.sid$</set>
    </done>
  </search>
  <search id="Day">
    <query>...</query>
    <done>
      <set token="SID2">$job.sid$</set>
    </done>

  - dropdown input:

<input type="dropdown" token="shift_tok" searchWhenChanged="true">
      <label>Shift:</label>
      <choice value="Day">Day</choice>
      <choice value="Night">Night</choice>
      <default>Day</default>
      <initialValue>Day</initialValue>
      <change>
        <condition match="$value$ == 'Day'">
          <set token="selected_shift">Day</set>
        </condition>
        <condition match="$value$ == 'Night'">
          <set token="selected_shift">Night</set>
        </condition>
      </change>
    </input>

 

 - panel:

 <row>
    <panel>
      <title>Timeline</title>
      <table>
        <title>$shift_tok$ $selected_shift$</title>
        <search base="$selected_shift$">
          <query>| table Date Shift Timeline "Hourly details of shift"</query>
        </search>
        <option name="count">13</option>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>

 The $selected_shift$ token doesn`t seem to be working properly - any idea ?

Thanks.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try like this

<input type="dropdown" token="shift_tok" searchWhenChanged="true">
      <label>Shift:</label>
      <choice value="Day">Day</choice>
      <choice value="Night">Night</choice>
      <default>Day</default>
      <initialValue>Day</initialValue>
      <change>
        <condition match="$value$ == 'Day'">
          <set token="selected_shift">$SID1$</set>
        </condition>
        <condition match="$value$ == 'Night'">
          <set token="selected_shift">$SID2$</set>
        </condition>
      </change>
    </input>
 <row>
    <panel>
      <title>Timeline</title>
      <table>
        <title>$shift_tok$</title>
        <search>
          <query>| loadjob $selected_shift$ | table Date Shift Timeline "Hourly details of shift"</query>
        </search>
        <option name="count">13</option>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
0 Karma

tomapatan
Communicator

 

 

<form version="1.1" theme="light">
  <label> Report </label>
  <search id="Night">
    <query>| inputlookup handover_timeline.csv
| dedup Shift Date
| search Shift="Night"
| appendcols [| makeresults count=24
| streamstats count as Timeline
| eval Timeline=if(Timeline&lt;10, "0".Timeline.":00", Timeline.":00")
| table Timeline]
| streamstats first(Date) as Date, first(Shift) as Shift
| tail 6
| sort Timeline
| append [| inputlookup handover_timeline.csv
| dedup Shift Date
| search Shift="Night"
| appendcols [| makeresults count=24
| streamstats count as Timeline
| eval Timeline=if(Timeline&lt;10, "0".Timeline.":00", Timeline.":00")
| table Timeline]
| streamstats first(Date) as Date, first(Shift) as Shift
| head 6 ]
| fields Date Shift Timeline "Hourly details of shift"</query>
    <done>
      <set token="SID1">$job.sid$</set>
    </done>
  </search>
  <search id="Day">
    <query>| inputlookup handover_timeline.csv 
| dedup Shift Date 
| search Shift=Day 
| appendcols 
    [| makeresults count=24 
    | streamstats count as Timeline 
    | eval Timeline=if(Timeline&lt;10, "0".Timeline.":00", Timeline.":00") 
    | table Timeline] 
| streamstats first(Date) as Date, first(Shift) as Shift 
| streamstats count as row_number 
| eventstats max(row_number) as total_rows 
| where row_number &gt; 6 AND row_number &lt;= total_rows - 6
| fields - row_number, total_rows</query>
    <done>
      <set token="SID2">$job.sid$</set>
    </done>
  </search>
  <search>
    <query>
      | makeresults
      | eval token="$date_tok$"
      | eval earliest=if(token="today", relative_time(now(), "@d"), strptime(token, "%d/%m/%Y"))
      | eval latest=if(token="today", now(), earliest + 86400)
      | table earliest, latest
    </query>
    <finalized>
      <set token="earliest_tok">$result.earliest$</set>
      <set token="latest_tok">$result.latest$</set>
    </finalized>
    <earliest>-7d@d</earliest>
    <latest>now</latest>
    <refresh>300</refresh>
    <refreshType>delay</refreshType>
  </search>
  <fieldset submitButton="false">
    <input type="dropdown" token="date_tok" searchWhenChanged="true">
      <label>Date:</label>
      <fieldForLabel>Date</fieldForLabel>
      <fieldForValue>Date</fieldForValue>
      <search>
        <query>
          | makeresults
          | timechart span=1d count
          | sort - _time
          | eval Date=strftime(_time, "%d/%m/%Y"), earliest=relative_time(_time, "@d")
          | table Date, earliest
          | tail 7
          | sort - earliest
        </query>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </search>
      <choice value="today">Today</choice>
      <initialValue>today</initialValue>
      <default>today</default>
    </input>
    <input type="dropdown" token="shift_tok" searchWhenChanged="true">
      <label>Shift:</label>
      <choice value="Day">Day</choice>
      <choice value="Night">Night</choice>
      <default>Day</default>
      <initialValue>Day</initialValue>
      <change>
        <condition match="$value$ == 'Day'">
          <set token="selected_shift">$SID1$</set>
        </condition>
        <condition match="$value$ == 'Night'">
          <set token="selected_shift">$SID2$</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>
        NOTES: The data shown corresponds to the start of the shift, which is 6:45 AM for the Day shift and 6:45 PM for the Night shift.
      </html>
    </panel>
  </row>
  <row>
    <panel id="flf">
      <title>FLF</title>
      <single>
        <search>
          <query>| inputlookup daily_ticket_count.csv
            | eval today = strftime(now(), "%d/%m/%Y")
            | eval Date = if(Date == today, "today", Date)
            | search Shift="$shift_tok$" Date="$date_tok$"
            | where isnotnull(FLF_perc)
            | head 1
            | fields FLF_perc</query>
          <earliest>$earliest_tok$</earliest>
          <latest>$latest_tok$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="height">75</option>
        <option name="numberPrecision">0.00</option>
        <option name="rangeColors">["0xd93f3c","0x65a637"]</option>
        <option name="rangeValues">[80]</option>
        <option name="refresh.display">none</option>
        <option name="unit">%</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
      </single>
    </panel>
    <panel>
      <title>Ticket Count</title>
      <table>
        <search>
          <query>| inputlookup daily_ticket_count.csv 
| eval today = strftime(now(), "%d/%m/%Y") 
| eval Date = if(Date == today, "today", Date) 
| search Shift="$shift_tok$" Date="$date_tok$" type IN ("Request", "Incident")
| fields - FLF_perc
| head 2</query>
          <earliest>$earliest_tok$</earliest>
          <latest>$latest_tok$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Timeline</title>
      <table>
        <title>$shift_tok$</title>
        <search>
          <query>| loadjob $selected_shift$ | table Date Shift Timeline "Hourly details of shift"</query>
        </search>
        <option name="count">13</option>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Now getting this message for the Timeline panel.

 Search is waiting for input.

 

Full XML above, if someone can spot any errors.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Does it work if you make a selection to trigger the change handler? If so, you could add a set of the token in the init block of the dashboard. This might not work depending on whether it is executed before or after the base searches. If it is executed before the base searches, you may have to do something a bit more complicated to ensure the order of searches are execute in a controlled manner

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Looks like init blocks happen too early, so try adding a hidden row/panel like this

  <row depends="$alwaysHidden$">
    <panel>
      <table>
        <search>
          <query>| makeresults | eval sid1="$SID1$", sid2="$SID2$"</query>
          <done>
            <set token="selected_shift">$result.sid1$</set>
          </done>
        </search>
      </table>
    </panel>
  </row>

You will notice that you still get waiting for input initially but after a short time the panel will display with the initial search results. If you want to get really fancy, you could change the search in the hidden panel to take the current time into account and set the default / initial dataset accordingly.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...