Dashboards & Visualizations

Dashboard Studio how to use a token to set a second value

jholman2000
Engager

I have a Dashboard created in Dashboard Studio and have added a simple dropdown to select "Production", "UAT, "SIT',"Development" and it sets a correspnding value that I use in the $api_env$ token as shown below.  This works correctly and results in CA03430-cmsviewapi-prodox as I expect.

I want to use the value in the $api_env$ token to programmatically change the index between wf_wb_cbs and wf_cb_cbs_np.

How do I do that?  I tried adding eval idx=if() at the front of my query but when it gets to the existing index= portion it flags an error "Unknown search command 'index'

Thanks for any assistance!

Here is the query as it now shows in my dashboard:

"ds_search_1_new_new": {
            "type": "ds.search",
            "options": {
                "query": "index=wf_wb_cbs CA03430 sourcetype=\"cf:logmessage\" cf_app_name=\"CA03430-cmsviewapi-$api_env$\"| spath \"msg.customerIdType\" \r\n| eval eventHour = strftime(_time,\"%H\") | where eventHour >= \"07\" and eventHour < \"20\" \r\n| stats count by \"msg.customerIdType\"",
                "queryParameters": {
                    "earliest": "$global_time.earliest$",
                    "latest": "$global_time.latest$"
                }
            },
            "name": "cmsviewapi_activitybyrole"
        },
 
And here is my input:
        "input_w8NFtYlK": {
            "options": {
                "items": [
                    {
                        "label": "Production",
                        "value": "prodox"
                    },
                    {
                        "label": "UAT",
                        "value": "uathra"
                    },
                    {
                        "label": "SIT",
                        "value": "sit"
                    },
                    {
                        "label": "Development",
                        "value": "dev"
                    }
                ],
                "token": "api_env",
                "defaultValue": ""
            },
            "title": "Environment",
            "type": "input.dropdown",
            "dataSources": {}
        }
 
Labels (2)
0 Karma
1 Solution

danspav
SplunkTrust
SplunkTrust

Hi @jholman2000,


I don't think there's a way to set two token values from the one dropdown like you can with simpleXML dashboards, but here's a workaround - 

You can create a simple search that will use the environment token and produce the appropriate index name, which can then be used in your main search.

{
"type": "ds.search",
"options": {"query": "|  makeresults\n|  eval index=if(\"$api_env$\"=\"prod\",\"wf_wb_cbs\",\"wf_wb_cbs_np\")\n| table index",
"enableSmartSources": true
},
"name": "IndexName"
}

 

The search will be pretty quick, and will only run on the search head. It just looks at the environment token and sets the index to prod or nonprod as appropriate.

The key part is the "enableSmartSources" which you get when checking  the "Access search results or metadata" checkbox.

Now you can refer to the index name:  $IndexName:result.index$

So your final search will be:

index=$IndexName:result.index$ CA03430 sourcetype="cf:logmessage" cf_app_name="CA03430-cmsviewapi-$api_env$" | spath "msg.customerIdType" | eval eventHour = strftime(_time,"%H") | where eventHour >= "07" and eventHour < "20" | stats count by "msg.customerIdType"


Hope that helps you out.

Cheers,
Daniel

 

View solution in original post

0 Karma

danspav
SplunkTrust
SplunkTrust

Hi @jholman2000,


I don't think there's a way to set two token values from the one dropdown like you can with simpleXML dashboards, but here's a workaround - 

You can create a simple search that will use the environment token and produce the appropriate index name, which can then be used in your main search.

{
"type": "ds.search",
"options": {"query": "|  makeresults\n|  eval index=if(\"$api_env$\"=\"prod\",\"wf_wb_cbs\",\"wf_wb_cbs_np\")\n| table index",
"enableSmartSources": true
},
"name": "IndexName"
}

 

The search will be pretty quick, and will only run on the search head. It just looks at the environment token and sets the index to prod or nonprod as appropriate.

The key part is the "enableSmartSources" which you get when checking  the "Access search results or metadata" checkbox.

Now you can refer to the index name:  $IndexName:result.index$

So your final search will be:

index=$IndexName:result.index$ CA03430 sourcetype="cf:logmessage" cf_app_name="CA03430-cmsviewapi-$api_env$" | spath "msg.customerIdType" | eval eventHour = strftime(_time,"%H") | where eventHour >= "07" and eventHour < "20" | stats count by "msg.customerIdType"


Hope that helps you out.

Cheers,
Daniel

 

0 Karma

jholman2000
Engager

Thanks Dan!  That worked perfectly just as you provided.

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...