Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Dynamic referring to base search - based on dropdown

kschaul
Engager
‎09-21-2016 05:26 AM

Is it possible to refer to a specific base search in you dashboard, by use of a token (input dropdown).

For instance, when having two basesearches I want to refer to either one of them by using a token in my postprocess search.
This however doesn't seem to work, see example below,

    <form>
     <search id="BS_Windows">
      <query>SOMEQUERY</query>
     </search>
     <search id="BS_Linux">
      <query>SOMEQUERY2</query>
     </search>

     <row>
      <panel>
        <input type="dropdown" token="selectedOS" searchWhenChanged="true">
          <label>Service Provider</label>
            <choice value="BS_Windows">Windows</choice>
           <choice value="BS_Linux">Linux</choice>
        </input>
      <single>
       <title>Windows Compliancy</title>
        <search base="$selectedOS$">
         <query>VISUALIZATION</query>
        </search>
     </panel>
   </row>
...
Reply

sundareshr
Legend
‎09-21-2016 06:00 AM

If the difference between the two base searches is more than just one value (sourcetype) you could create two panels - Windows / Linux and show/hide them based on user selection in the dropdown. Something like this may work...

 <row>
   <panel>
     <input type="dropdown" token="selectedOS" searchWhenChanged="true">
       <label>Service Provider</label>
         <choice value="Windows">Windows</choice>
        <choice value="Linux">Linux</choice>
        <change><condition value="Windows"><set token="BS_Windows">Windows</set><unset token="BS_Linux" /></condition>
      <condition value="Linux"><set token="BS_Linux">Linux</set><unset token="BS_Windows" /></condition>
     </input>
   <panel depends="$BS_Windows$">
    <title>Windows Compliance</title> --> Make sure you add an `eval temp="$BS_Windows$"` to your query to prevent the execution if token not set.
      <query>VISUALIZATION</query>
     </search>
  </panel>
   <panel depends="$BS_Linux$">
    <title>Windows Compliance</title> --> Make sure you add an `eval temp="$BS_Linux$"` to your query to prevent the execution if token not set.
      <query>VISUALIZATION</query>
     </search>
  </panel>
</row>

If it is only one value, you can use token in the base search itself. `index=xyz sourcetype="$selectedOS$"

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...