Dashboards & Visualizations

Dashboard Studio how to use a token to set a second value

jholman2000
Engager

I have a Dashboard created in Dashboard Studio and have added a simple dropdown to select "Production", "UAT, "SIT',"Development" and it sets a correspnding value that I use in the $api_env$ token as shown below.  This works correctly and results in CA03430-cmsviewapi-prodox as I expect.

I want to use the value in the $api_env$ token to programmatically change the index between wf_wb_cbs and wf_cb_cbs_np.

How do I do that?  I tried adding eval idx=if() at the front of my query but when it gets to the existing index= portion it flags an error "Unknown search command 'index'

Thanks for any assistance!

Here is the query as it now shows in my dashboard:

"ds_search_1_new_new": {
            "type": "ds.search",
            "options": {
                "query": "index=wf_wb_cbs CA03430 sourcetype=\"cf:logmessage\" cf_app_name=\"CA03430-cmsviewapi-$api_env$\"| spath \"msg.customerIdType\" \r\n| eval eventHour = strftime(_time,\"%H\") | where eventHour >= \"07\" and eventHour < \"20\" \r\n| stats count by \"msg.customerIdType\"",
                "queryParameters": {
                    "earliest": "$global_time.earliest$",
                    "latest": "$global_time.latest$"
                }
            },
            "name": "cmsviewapi_activitybyrole"
        },
 
And here is my input:
        "input_w8NFtYlK": {
            "options": {
                "items": [
                    {
                        "label": "Production",
                        "value": "prodox"
                    },
                    {
                        "label": "UAT",
                        "value": "uathra"
                    },
                    {
                        "label": "SIT",
                        "value": "sit"
                    },
                    {
                        "label": "Development",
                        "value": "dev"
                    }
                ],
                "token": "api_env",
                "defaultValue": ""
            },
            "title": "Environment",
            "type": "input.dropdown",
            "dataSources": {}
        }
 
Labels (2)
0 Karma
1 Solution

danspav
SplunkTrust
SplunkTrust

Hi @jholman2000,


I don't think there's a way to set two token values from the one dropdown like you can with simpleXML dashboards, but here's a workaround - 

You can create a simple search that will use the environment token and produce the appropriate index name, which can then be used in your main search.

{
"type": "ds.search",
"options": {"query": "|  makeresults\n|  eval index=if(\"$api_env$\"=\"prod\",\"wf_wb_cbs\",\"wf_wb_cbs_np\")\n| table index",
"enableSmartSources": true
},
"name": "IndexName"
}

 

The search will be pretty quick, and will only run on the search head. It just looks at the environment token and sets the index to prod or nonprod as appropriate.

The key part is the "enableSmartSources" which you get when checking  the "Access search results or metadata" checkbox.

Now you can refer to the index name:  $IndexName:result.index$

So your final search will be:

index=$IndexName:result.index$ CA03430 sourcetype="cf:logmessage" cf_app_name="CA03430-cmsviewapi-$api_env$" | spath "msg.customerIdType" | eval eventHour = strftime(_time,"%H") | where eventHour >= "07" and eventHour < "20" | stats count by "msg.customerIdType"


Hope that helps you out.

Cheers,
Daniel

 

View solution in original post

0 Karma

danspav
SplunkTrust
SplunkTrust

Hi @jholman2000,


I don't think there's a way to set two token values from the one dropdown like you can with simpleXML dashboards, but here's a workaround - 

You can create a simple search that will use the environment token and produce the appropriate index name, which can then be used in your main search.

{
"type": "ds.search",
"options": {"query": "|  makeresults\n|  eval index=if(\"$api_env$\"=\"prod\",\"wf_wb_cbs\",\"wf_wb_cbs_np\")\n| table index",
"enableSmartSources": true
},
"name": "IndexName"
}

 

The search will be pretty quick, and will only run on the search head. It just looks at the environment token and sets the index to prod or nonprod as appropriate.

The key part is the "enableSmartSources" which you get when checking  the "Access search results or metadata" checkbox.

Now you can refer to the index name:  $IndexName:result.index$

So your final search will be:

index=$IndexName:result.index$ CA03430 sourcetype="cf:logmessage" cf_app_name="CA03430-cmsviewapi-$api_env$" | spath "msg.customerIdType" | eval eventHour = strftime(_time,"%H") | where eventHour >= "07" and eventHour < "20" | stats count by "msg.customerIdType"


Hope that helps you out.

Cheers,
Daniel

 

0 Karma

jholman2000
Engager

Thanks Dan!  That worked perfectly just as you provided.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...