Dashboards & Visualizations

Dashboard Studio how to use a token to set a second value

jholman2000
Engager

I have a Dashboard created in Dashboard Studio and have added a simple dropdown to select "Production", "UAT, "SIT',"Development" and it sets a correspnding value that I use in the $api_env$ token as shown below.  This works correctly and results in CA03430-cmsviewapi-prodox as I expect.

I want to use the value in the $api_env$ token to programmatically change the index between wf_wb_cbs and wf_cb_cbs_np.

How do I do that?  I tried adding eval idx=if() at the front of my query but when it gets to the existing index= portion it flags an error "Unknown search command 'index'

Thanks for any assistance!

Here is the query as it now shows in my dashboard:

"ds_search_1_new_new": {
            "type": "ds.search",
            "options": {
                "query": "index=wf_wb_cbs CA03430 sourcetype=\"cf:logmessage\" cf_app_name=\"CA03430-cmsviewapi-$api_env$\"| spath \"msg.customerIdType\" \r\n| eval eventHour = strftime(_time,\"%H\") | where eventHour >= \"07\" and eventHour < \"20\" \r\n| stats count by \"msg.customerIdType\"",
                "queryParameters": {
                    "earliest": "$global_time.earliest$",
                    "latest": "$global_time.latest$"
                }
            },
            "name": "cmsviewapi_activitybyrole"
        },
 
And here is my input:
        "input_w8NFtYlK": {
            "options": {
                "items": [
                    {
                        "label": "Production",
                        "value": "prodox"
                    },
                    {
                        "label": "UAT",
                        "value": "uathra"
                    },
                    {
                        "label": "SIT",
                        "value": "sit"
                    },
                    {
                        "label": "Development",
                        "value": "dev"
                    }
                ],
                "token": "api_env",
                "defaultValue": ""
            },
            "title": "Environment",
            "type": "input.dropdown",
            "dataSources": {}
        }
 
Labels (2)
0 Karma
1 Solution

danspav
SplunkTrust
SplunkTrust

Hi @jholman2000,


I don't think there's a way to set two token values from the one dropdown like you can with simpleXML dashboards, but here's a workaround - 

You can create a simple search that will use the environment token and produce the appropriate index name, which can then be used in your main search.

{
"type": "ds.search",
"options": {"query": "|  makeresults\n|  eval index=if(\"$api_env$\"=\"prod\",\"wf_wb_cbs\",\"wf_wb_cbs_np\")\n| table index",
"enableSmartSources": true
},
"name": "IndexName"
}

 

The search will be pretty quick, and will only run on the search head. It just looks at the environment token and sets the index to prod or nonprod as appropriate.

The key part is the "enableSmartSources" which you get when checking  the "Access search results or metadata" checkbox.

Now you can refer to the index name:  $IndexName:result.index$

So your final search will be:

index=$IndexName:result.index$ CA03430 sourcetype="cf:logmessage" cf_app_name="CA03430-cmsviewapi-$api_env$" | spath "msg.customerIdType" | eval eventHour = strftime(_time,"%H") | where eventHour >= "07" and eventHour < "20" | stats count by "msg.customerIdType"


Hope that helps you out.

Cheers,
Daniel

 

View solution in original post

0 Karma

danspav
SplunkTrust
SplunkTrust

Hi @jholman2000,


I don't think there's a way to set two token values from the one dropdown like you can with simpleXML dashboards, but here's a workaround - 

You can create a simple search that will use the environment token and produce the appropriate index name, which can then be used in your main search.

{
"type": "ds.search",
"options": {"query": "|  makeresults\n|  eval index=if(\"$api_env$\"=\"prod\",\"wf_wb_cbs\",\"wf_wb_cbs_np\")\n| table index",
"enableSmartSources": true
},
"name": "IndexName"
}

 

The search will be pretty quick, and will only run on the search head. It just looks at the environment token and sets the index to prod or nonprod as appropriate.

The key part is the "enableSmartSources" which you get when checking  the "Access search results or metadata" checkbox.

Now you can refer to the index name:  $IndexName:result.index$

So your final search will be:

index=$IndexName:result.index$ CA03430 sourcetype="cf:logmessage" cf_app_name="CA03430-cmsviewapi-$api_env$" | spath "msg.customerIdType" | eval eventHour = strftime(_time,"%H") | where eventHour >= "07" and eventHour < "20" | stats count by "msg.customerIdType"


Hope that helps you out.

Cheers,
Daniel

 

0 Karma

jholman2000
Engager

Thanks Dan!  That worked perfectly just as you provided.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...