Dashboards & Visualizations

Dynamic referring to base search - based on dropdown

kschaul
Engager

Is it possible to refer to a specific base search in you dashboard, by use of a token (input dropdown).

For instance, when having two basesearches I want to refer to either one of them by using a token in my postprocess search.
This however doesn't seem to work, see example below,

    <form>
     <search id="BS_Windows">
      <query>SOMEQUERY</query>
     </search>
     <search id="BS_Linux">
      <query>SOMEQUERY2</query>
     </search>

     <row>
      <panel>
        <input type="dropdown" token="selectedOS" searchWhenChanged="true">
          <label>Service Provider</label>
            <choice value="BS_Windows">Windows</choice>
           <choice value="BS_Linux">Linux</choice>
        </input>
      <single>
       <title>Windows Compliancy</title>
        <search base="$selectedOS$">
         <query>VISUALIZATION</query>
        </search>
     </panel>
   </row>
...

sundareshr
Legend

If the difference between the two base searches is more than just one value (sourcetype) you could create two panels - Windows / Linux and show/hide them based on user selection in the dropdown. Something like this may work...

 <row>
   <panel>
     <input type="dropdown" token="selectedOS" searchWhenChanged="true">
       <label>Service Provider</label>
         <choice value="Windows">Windows</choice>
        <choice value="Linux">Linux</choice>
        <change><condition value="Windows"><set token="BS_Windows">Windows</set><unset token="BS_Linux" /></condition>
      <condition value="Linux"><set token="BS_Linux">Linux</set><unset token="BS_Windows" /></condition>
     </input>
   <panel depends="$BS_Windows$">
    <title>Windows Compliance</title> --> Make sure you add an `eval temp="$BS_Windows$"` to your query to prevent the execution if token not set.
      <query>VISUALIZATION</query>
     </search>
  </panel>
   <panel depends="$BS_Linux$">
    <title>Windows Compliance</title> --> Make sure you add an `eval temp="$BS_Linux$"` to your query to prevent the execution if token not set.
      <query>VISUALIZATION</query>
     </search>
  </panel>
</row>

If it is only one value, you can use token in the base search itself. `index=xyz sourcetype="$selectedOS$"

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...