Solved: Re: How to create dynamic commands in search?

lakromani · ‎04-03-2017

I would like to change the commands within a dashboard.

I have a dropdown box like this:

<input type="radio" token="radio" searchWhenChanged="true">
  <label>Radio</label>
  <choice value="*">All</choice>
  <choice value="Dot11Radio0">2.4 GHz</choice>
  <choice value="Dot11Radio1">5.0 Ghz</choice>
  <default>*</default>
</input>

Then I would like the timechart to reflect whats selected in dropdown box.

<query>source="snmp://Cisco-Wifi-clients"
            | eval info=case(
                radio=="Dot11Radio0"
                    ,"avg(low) AS 2.4GHz"
                ,radio=="Dot11Radio1"
                    ,"avg(high) AS 5.0Ghz"
                ,1==1,"avg(high) AS 5.0Ghz avg(low) AS 2.4GHz")
            | timechart $info$</query>

But this does not work.

Anyone have another way to get this to work?

Here is the base idea:
This work:

index=_internal user=* | timechart count by user limit=10

This does not.

index=_internal user=* | eval test="count by user limit=10" | timechart $test$

niketn · ‎04-03-2017

@lakromani... Shift the logic of your dynamic timechart aggregation from search to your input radio selection's change event. Try the following:

<input type="radio" token="radio" searchWhenChanged="true">
  <label>Radio</label>
  <choice value="*">All</choice>
  <choice value="Dot11Radio0">2.4 GHz</choice>
  <choice value="Dot11Radio1">5.0 Ghz</choice>
  <default>*</default>
  <change>
    <condition value="Dot11Radio0">
      <set token="aggrQuery">avg(low) AS 2.4GHz</set>
    </condition>
    <condition value="Dot11Radio1">
      <set token="aggrQuery">avg(high) AS 5.0Ghz</set>
    </condition>
    <condition>
      <set token="aggrQuery">avg(high) AS 5.0Ghz avg(low) AS 2.4GHz</set>
    </condition>
  </change>
</input>

Use $aggrQuery$ token later in your search next to timechart.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

briancronrath · ‎04-03-2017

What if you just made the choice value be what you eval to in your query and pass that as a token?

<input type="radio" token="radio" searchWhenChanged="true">
   <label>Radio</label>
   <choice value="*">All</choice>
   <choice value="avg(low) AS 2.4GHz">2.4 GHz</choice>
   <choice value="avg(high) AS 5.0Ghz">5.0 Ghz</choice>
   <default>*</default>
 </input>

<query>source="snmp://Cisco-Wifi-clients"
             | timechart $radio$</query>

lakromani · ‎04-03-2017

Problem is that I use $radio$ other places in my config, and it's value can not be changed.

niketn · ‎04-03-2017

@lakromani... Shift the logic of your dynamic timechart aggregation from search to your input radio selection's change event. Try the following:

<input type="radio" token="radio" searchWhenChanged="true">
  <label>Radio</label>
  <choice value="*">All</choice>
  <choice value="Dot11Radio0">2.4 GHz</choice>
  <choice value="Dot11Radio1">5.0 Ghz</choice>
  <default>*</default>
  <change>
    <condition value="Dot11Radio0">
      <set token="aggrQuery">avg(low) AS 2.4GHz</set>
    </condition>
    <condition value="Dot11Radio1">
      <set token="aggrQuery">avg(high) AS 5.0Ghz</set>
    </condition>
    <condition>
      <set token="aggrQuery">avg(high) AS 5.0Ghz avg(low) AS 2.4GHz</set>
    </condition>
  </change>
</input>

Use $aggrQuery$ token later in your search next to timechart.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

lakromani · ‎04-03-2017

Perfect. This did what I was looking for. Since the $radio$ was used elsewhere in the script I could not change it.

But I still do not understand why I can not set the $aggrQuery$ within the panel section of the Dashboard. This could be added by the Splunk guys 🙂

niketn · ‎04-03-2017

Splunk has a map command where you can recursively execute SPL for selected field. (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map). I have used makeresults but you can use timechart instead.

  <fieldset>
   <input type="radio" token="radio" searchWhenChanged="true">
   <label>Radio</label>
   <choice value="*">All</choice>
   <choice value="Dot11Radio0">2.4 GHz</choice>
   <choice value="Dot11Radio1">5.0 Ghz</choice>
   <default>*</default>
 </input>
 </fieldset>

  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval aggrQuery=case("$radio$"=="Dot11Radio0","avg(low) AS 2.4GHz","$radio$"=="Dot11Radio1","avg(high) AS 5.0Ghz",true(),"avg(high) AS 5.0Ghz avg(low) AS 2.4GHz")
| map search="| makeresults | eval UseMappedresult=\"$aggrQuery$\""</query>
          <sampleRatio>1</sampleRatio>
        </search>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

rcarinha · ‎04-03-2017

Hi lakromani.

You probably need this:

index=_internal user=* | timechart count by user limit=10 | search radio= \"$radio$\"

How to create dynamic commands in search?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

How to create dynamic commands in search?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future