Dashboards & Visualizations
Highlighted

How do I use a token in a dashboard panel chart search query that is currently only set when a check box is selected?

I am using the following Simple XML for a check box in a dashboard (Splunk Enterprise 6.4):

<input type="checkbox" token="blacklist" searchWhenChanged="true">
  <choice value="NOT [|inputlookup tran_blacklist.csv]">Exclude blacklisted transaction codes</choice>
  <default>NOT [|inputlookup tran_blacklist.csv]</default>
</input>

That is, I have a single check box that appears on the dashboard like this:

[x]  Exclude blacklisted transaction codes

The corresponding blacklist token is used in panel search strings like this (simplified example for the sake of clarity):

sourcetype=my_log_type $blacklist$ | timechart count by tran

When the check box is selected, this works as intended: it excludes certain transaction codes from the chart.

However, if the check box is not selected, the chart displays "Search is waiting for input..." due to the blacklist token not being set.

How do I avoid this problem?

My first thought was to investigate how, within the <input> element, to specify a value for the blacklist token if that single "Exclude..." <choice> is not selected, but I couldn't see how to do that.

My next thought was to investigate how to use <set token="blacklist> outside of the <input> element to set a default value for the blacklist token. But nope, I couldn't see how to do that, either.

Then it occurred to me to add "bogus" (unnecessary) "(" and ")" characters as token prefix and suffix, just to populate the token with some (innocuous) value. Nope.

0 Karma
Highlighted

Re: How do I use a token in a dashboard panel chart search query that is currently only set when a check box is selected?

Motivator

Have you tried out to set another static checkbox like:

"<choice value="">blacklisted transaction codes</choice>"

This worked for me in a similar usecase.

View solution in original post

0 Karma
Highlighted

Re: How do I use a token in a dashboard panel chart search query that is currently only set when a check box is selected?

Thanks for the answer.

No, I hadn't tried adding another static check box.

Yes, that works.

I looked at the "Check Box Input" example in the Splunk 6.x Dashboard Examples app, and it seems that this behavior - "Search is waiting for input" when no check boxes are selected - is by design. I can imagine this behavior was the subject of some debate between the Splunk designers. I have mixed feelings about it.

In my specific case, I want to offer the user a choice between two states:

  • Exclude blacklisted transaction codes (the default state)
  • Include them

For this case - without considering Splunk-specific implementation issues - a single check box seemed to me the most appropriate choice of UI control.

However, in Splunk, as we've seen, if no check box in a group is selected, the corresponding token remains unset, resulting in a "Search is waiting for input" message, which is not the behavior I want. At least, not in this situation; I'm open to learning about situations where this behavior is desirable.

Thanks again for your answer. It's prompted me to rethink how to represent such a choice to the user in a way that is straightforward to implement in Splunk.

Rather than introducing a second check box, which, logically, offers the user a choice between not two but four states, I have, for now, replaced the single check box with two radio buttons:

Blacklisted transaction codes:
[ ] Include
[X] Exclude

Simple XML:

<input type="radio" token="blacklist" searchWhenChanged="true">
  <label>Blacklisted transaction codes:</label>
  <choice value="">Include</choice>
  <choice value="NOT [|inputlookup tran_blacklist.csv]">Exclude</choice>
  <default>NOT [|inputlookup tran_blacklist.csv]</default>
</input>

I'd still prefer to use a single check box, but this is an acceptable workaround for me.

Finally, regarding the "Check Box Input" example in the Splunk 6.x Dashboard Examples app... I think that the presence of the "ANY" check box in this group is problematic (I can elaborate, if asked). And if you select multiple check boxes and inspect the resulting search string, you can see that the "OR" delimiter lacks leading and trailing spaces:

(sourcetype="*"ORsourcetype="splunk_web_access")

I'm currently using a free Splunk license on my PC (I'm discussing this situation with local management), so I can't submit a case for that. What, if anything, should I do about that? Report it here in the guise of a question, perhaps? (Or buy a license. Yes, fair call.)

0 Karma