Dashboards & Visualizations

Dashboard conditional where like not defaulting to all rows

dougburdan
Explorer

Hi Folks,

I'm developing an interactive dashboard which reads a large CSV file with several fields.

The dashboard has an Input for each field to allow users to filter results. Several of the Inputs are text boxes.

The default value for these text inputs is "All", with the intention that 'All' results for that field are returned until 'All' is overtyped with a value to filter that field on.

The following code example for the 'Application' text input works fine when "All" is overtyped, returning all rows that match the string passed from the dashboard through $appToken$ . . .but if it is left as the default of "All", no results are found:

| where if($appToken$="All",like(Application,"%"),like(Application,"%$appToken$%"))

I've tried several combinations of like, match, quotes, * and %, and can't get anything to work.

The following code works through search, returning all rows, so I'm not sure why it doesn't work in the source of my dashboard?

| where like(Application,"%")

Any help would be greatly appreciated.

Thanks,
Doug.

0 Karma
1 Solution

woodcock
Esteemed Legend

Do it like this:

...
  <fieldset autoRun="false" submitButton="true">
    <input type="dropdown" token="Application_Token" searchWhenChanged="false">
      <label>Select an Application:</label>
      <prefix>Application="</prefix>
      <suffix>"</suffix>
      <choice value="*">All</choice>
      <fieldForLabel>label</fieldForLabel>
      <fieldForValue>value</fieldForValue>
      <search>
        <query>| inputlookup YourLookupHere.csv | rename YourFieldHere AS label | eval value = label</query>
        <earliest>-1s</earliest>
        <latest>now</latest>
      </search>
...

Then, in your search, just do like this:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=AndSourcdetypeToo $Application_Token$

View solution in original post

0 Karma

woodcock
Esteemed Legend

Do it like this:

...
  <fieldset autoRun="false" submitButton="true">
    <input type="dropdown" token="Application_Token" searchWhenChanged="false">
      <label>Select an Application:</label>
      <prefix>Application="</prefix>
      <suffix>"</suffix>
      <choice value="*">All</choice>
      <fieldForLabel>label</fieldForLabel>
      <fieldForValue>value</fieldForValue>
      <search>
        <query>| inputlookup YourLookupHere.csv | rename YourFieldHere AS label | eval value = label</query>
        <earliest>-1s</earliest>
        <latest>now</latest>
      </search>
...

Then, in your search, just do like this:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=AndSourcdetypeToo $Application_Token$
0 Karma

dougburdan
Explorer

Wow! . . . That is so cool the way it populates the dropdown.

After a bit of experimenting, I got it working with the code below.

Thanks for all your help - really appreciated!

    <input type="dropdown" token="appToken" searchWhenChanged="true">
      <label>Application</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>Application</fieldForLabel>
      <fieldForValue>Application</fieldForValue>
      <search>
        <query>
          | inputlookup alerts_CTM_all_added_fields.csv
          | stats count by Application
        </query>
        <earliest>-4h@m</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>
            | inputlookup alerts_CTM_all_added_fields.csv
            | search Application="$appToken$"
            | table Time Nodeid Application Memname Message Support
          </query>
        </search>

woodcock
Esteemed Legend

Try this:

... | where like(Application, if($appToken$="All", "%", "%$appToken$%"))

But this is completely the wrong way to do it. The correct way is to use both value and label and set the value for the label All to be *. You will populate your list like this:

| inputlookup YourLookupHere.csv | rename YourFieldHere AS label | eval value = label | append [|makeresults | eval value = "All", label = "*" ] | table label value

Check out the Dashboard Examples app for this approach.

0 Karma

dougburdan
Explorer

Thanks woodcock.

I tried installing the dashboard examples app, but Splunk here at work is locked down and I don't have access.

I dug out my private sandbox to try and install it, but my sandbox has long since expired.

I tried your first example, but got the same result as my initial code - no rows were displayed.

I then browsed through the online Splunk documentation on tokens, and under token filters, noticed $token_name|s$ which seemed promising.

I tried this with your code and with my original code, and it seems to work for both - returned all rows when I entered 'All' through the dashboard, and returned just the rows containing the string when I overtyped 'All' with a string:

| where like(Application, if($appToken|s$="All", "%", "%$appToken$%"))
| where if($appToken|s$="All",like(Application,"%"),like(Application,"%$appToken$%"))

However, I've been self taught so far - stitching together code I've googled - so I might well being doing things the wrong way.

Therefore I'll persevere with trying to understand how value and label work and trying out your second example - it would be good to put 'best practice' in place.

Thanks for your help.

0 Karma

woodcock
Esteemed Legend

See my other answer for full XML.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

When the default selection of "All" is used, what is the value of $appToken$. If it's "All" or *, then like(Application,"%$appToken$%") is looking for Application values containing "All" or "*". If you can get the default setting to map to "" (empty string) or % then the code should work.

The second where clause works because the single wildcard matches all values.

---
If this reply helps you, Karma would be appreciated.
0 Karma

dougburdan
Explorer

Thanks richgalloway, although I am still a little confused, so I did a couple of tests . . .

When I enter Test in the dashboard, I can see that $appToken$ is set to Test and only rows that have an Application with Test in their names are displayed in the dashboard, so the second clause like(Application,"%$appToken$%") is working successfully.

I then changed the code to | where if($appToken$="Test" in attempt to trigger the first clause to show all Applications:

| where if($appToken$="Test",like(Application,"%"),like(Application,"%$appToken$%"))

However, I got the same result as the first test (only Applications with Test in their names showing in the dashboard), so the second clause was still triggering.

Therefore, it must be the first part of the IF statement that is not working . . . for some reason | where if($appToken$="Test" is not matching the input from the dashboard, even though I can see that $appToken$ is set to Test?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...