- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to create dynamic commands in search?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would like to change the commands within a dashboard.
I have a dropdown box like this:
<input type="radio" token="radio" searchWhenChanged="true">
<label>Radio</label>
<choice value="*">All</choice>
<choice value="Dot11Radio0">2.4 GHz</choice>
<choice value="Dot11Radio1">5.0 Ghz</choice>
<default>*</default>
</input>
Then I would like the timechart to reflect whats selected in dropdown box.
<query>source="snmp://Cisco-Wifi-clients"
| eval info=case(
radio=="Dot11Radio0"
,"avg(low) AS 2.4GHz"
,radio=="Dot11Radio1"
,"avg(high) AS 5.0Ghz"
,1==1,"avg(high) AS 5.0Ghz avg(low) AS 2.4GHz")
| timechart $info$</query>
But this does not work.
Anyone have another way to get this to work?
Here is the base idea:
This work:
index=_internal user=* | timechart count by user limit=10
This does not.
index=_internal user=* | eval test="count by user limit=10" | timechart $test$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@lakromani... Shift the logic of your dynamic timechart aggregation from search to your input radio selection's change event. Try the following:
<input type="radio" token="radio" searchWhenChanged="true">
<label>Radio</label>
<choice value="*">All</choice>
<choice value="Dot11Radio0">2.4 GHz</choice>
<choice value="Dot11Radio1">5.0 Ghz</choice>
<default>*</default>
<change>
<condition value="Dot11Radio0">
<set token="aggrQuery">avg(low) AS 2.4GHz</set>
</condition>
<condition value="Dot11Radio1">
<set token="aggrQuery">avg(high) AS 5.0Ghz</set>
</condition>
<condition>
<set token="aggrQuery">avg(high) AS 5.0Ghz avg(low) AS 2.4GHz</set>
</condition>
</change>
</input>
Use $aggrQuery$ token later in your search next to timechart.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What if you just made the choice value be what you eval to in your query and pass that as a token?
<input type="radio" token="radio" searchWhenChanged="true">
<label>Radio</label>
<choice value="*">All</choice>
<choice value="avg(low) AS 2.4GHz">2.4 GHz</choice>
<choice value="avg(high) AS 5.0Ghz">5.0 Ghz</choice>
<default>*</default>
</input>
<query>source="snmp://Cisco-Wifi-clients"
| timechart $radio$</query>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem is that I use $radio$ other places in my config, and it's value can not be changed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@lakromani... Shift the logic of your dynamic timechart aggregation from search to your input radio selection's change event. Try the following:
<input type="radio" token="radio" searchWhenChanged="true">
<label>Radio</label>
<choice value="*">All</choice>
<choice value="Dot11Radio0">2.4 GHz</choice>
<choice value="Dot11Radio1">5.0 Ghz</choice>
<default>*</default>
<change>
<condition value="Dot11Radio0">
<set token="aggrQuery">avg(low) AS 2.4GHz</set>
</condition>
<condition value="Dot11Radio1">
<set token="aggrQuery">avg(high) AS 5.0Ghz</set>
</condition>
<condition>
<set token="aggrQuery">avg(high) AS 5.0Ghz avg(low) AS 2.4GHz</set>
</condition>
</change>
</input>
Use $aggrQuery$ token later in your search next to timechart.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect. This did what I was looking for. Since the $radio$ was used elsewhere in the script I could not change it.
But I still do not understand why I can not set the $aggrQuery$ within the panel section of the Dashboard. This could be added by the Splunk guys 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk has a map command where you can recursively execute SPL for selected field. (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map). I have used makeresults but you can use timechart instead.
<fieldset>
<input type="radio" token="radio" searchWhenChanged="true">
<label>Radio</label>
<choice value="*">All</choice>
<choice value="Dot11Radio0">2.4 GHz</choice>
<choice value="Dot11Radio1">5.0 Ghz</choice>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| makeresults
| eval aggrQuery=case("$radio$"=="Dot11Radio0","avg(low) AS 2.4GHz","$radio$"=="Dot11Radio1","avg(high) AS 5.0Ghz",true(),"avg(high) AS 5.0Ghz avg(low) AS 2.4GHz")
| map search="| makeresults | eval UseMappedresult=\"$aggrQuery$\""</query>
<sampleRatio>1</sampleRatio>
</search>
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi lakromani.
You probably need this:
index=_internal user=* | timechart count by user limit=10 | search radio= \"$radio$\"
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
