Dashboards & Visualizations

How to change search criteria based on dropdown value? (Dashboard Studio)

schres1
Explorer

Hey everyone...I know there has to be an easy way to do what I want, but I just can't figure out how. It should be straightforward, but apparently I can't figure it out. 

I have a dropdown and depending on its value, I want to change my search criteria for dependent widgets.

For example: 
I have a single value widget on my dashboard. The default search query for that widget is 

index='idx' source='src1'....

If someone picks the second element in the dropdown (label = "My Second Element", value = 'secondelement') I want the search query to change to 

index='idx' source='src2'....

and for the dashboard to refresh. Similarly, when selecting the first element, I want it to go back to source = 'src1'. 

I don't have any sort of submit button and am puzzled by similar answers to other questions that include a wall of xml. It seems to me that this should be doable via an if statement in the query or by parameterizing the query before its run. I'm obviously ignorant about large swaths of splunk, so please explain it like Im five. 🙂

Labels (2)
Tags (3)
0 Karma
1 Solution

schres1
Explorer

The issue here is that I am not using SplunkXML to create my dashboard. I am using Splunk Dashboard Studio. No XML in my code and no way to consume it. 
It looks like the best way to do this is to just modify my search query to be

index="idx" source IN("$token$")  and then make the value of the token be what I want to search.
 

View solution in original post

0 Karma

schres1
Explorer

The issue here is that I am not using SplunkXML to create my dashboard. I am using Splunk Dashboard Studio. No XML in my code and no way to consume it. 
It looks like the best way to do this is to just modify my search query to be

index="idx" source IN("$token$")  and then make the value of the token be what I want to search.
 

0 Karma

schres1
Explorer

Ok lets come at this from a different angle. Where in my dashboard can I see xml of any sort? I don't see it when I look under code. I see json there. 

{
    "dataSources": {
        "ds_search_1_new_new_new": {
            "type": "ds.search",
            "options": {
                "query": "index=\"pls\" source=\"srcxyz\" ,
                "queryParameters": {
                    "earliest": "2022-05-05T00:00:00.000Z",
                    "latest": "now"
                }
            },
            "name": "ROI"
        },
}

 

0 Karma

schres1
Explorer

Im sorry...this app isn't going to work for me. I'm not allowed to install apps on my company's splunk instance and they won't let me install a trial version locally. 

Is there documentation anywhere that would show someone how to do this without some app that has nothing to do with what we are trying to implement or deploy? 

I mean...assuming I could have installed this app, where would I have put any of your xml wall into my own dashboard? None of this makes any sense. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @schres1,

try the XML that you can find in my first answer, it's taken from that App,

Anyway, I hint to ask to install this App on a development environment because it's very useful!

Ciao.

Giuseppe

0 Karma

schres1
Explorer

Thanks @gcusello unfortunately, that answer does not make sense to me. The link you provided is a 404 and I have no idea how to even start to consume that wall of xml. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @schres1,

it's very strange because it runs for me!

https://splunkbase.splunk.com/app/1603/ 

Anyway, go in apps.splunk.com and search "Dashboard Examples" you'll find the App that probably will solve your need.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @schres1,

you should put in your dropdown as value (not as label) the value of the source to insert in the search and then pass it as a token, to better understand how to do this, I hint to install the Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603/) where you can find an example how to do it.

In other words, something like this:

<form>
    <label>Dropdown Form Input Element</label>
    <description>Set search terms by populating a form with one or more dropdown options.</description>
    <fieldset autoRun="true" submitButton="false">
        <input type="dropdown" token="source" searchWhenChanged="true">
            <label>Select a Source:</label>
            <prefix>source="</prefix>
            <suffix>"</suffix>
            <default>*</default>
            <choice value="*">All</choice>
            <fieldForLabel>source</fieldForLabel>
            <fieldForValue>source</fieldForValue>
            <search>
                <query>index=_internal | stats count by source</query>
                <earliest>-24h</earliest>
                <latest>now</latest>
            </search>
        </input>
    </fieldset>
        <table>
            <title>Table of Events for $source$</title>
            <search>
                <query>index=idx source="*$source$" | table _time, user, sourcetype, _raw</query>
                <earliest>-24h@h</earliest>
                <latest>now</latest>
            </search>
            <option name="wrap">true</option>
            <option name="rowNumbers">true</option>
            <option name="dataOverlayMode">none</option>
            <option name="drilldown">row</option>
            <option name="count">5</option>
        </table>
    </row>
</form>

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...