Solved: How to create dynamic commands in search?

lakromani · ‎04-03-2017

I would like to change the commands within a dashboard.

I have a dropdown box like this:

<input type="radio" token="radio" searchWhenChanged="true">
  <label>Radio</label>
  <choice value="*">All</choice>
  <choice value="Dot11Radio0">2.4 GHz</choice>
  <choice value="Dot11Radio1">5.0 Ghz</choice>
  <default>*</default>
</input>

Then I would like the timechart to reflect whats selected in dropdown box.

<query>source="snmp://Cisco-Wifi-clients"
            | eval info=case(
                radio=="Dot11Radio0"
                    ,"avg(low) AS 2.4GHz"
                ,radio=="Dot11Radio1"
                    ,"avg(high) AS 5.0Ghz"
                ,1==1,"avg(high) AS 5.0Ghz avg(low) AS 2.4GHz")
            | timechart $info$</query>

But this does not work.

Anyone have another way to get this to work?

Here is the base idea:
This work:

index=_internal user=* | timechart count by user limit=10

This does not.

index=_internal user=* | eval test="count by user limit=10" | timechart $test$

niketn · ‎04-03-2017

@lakromani... Shift the logic of your dynamic timechart aggregation from search to your input radio selection's change event. Try the following:

<input type="radio" token="radio" searchWhenChanged="true">
  <label>Radio</label>
  <choice value="*">All</choice>
  <choice value="Dot11Radio0">2.4 GHz</choice>
  <choice value="Dot11Radio1">5.0 Ghz</choice>
  <default>*</default>
  <change>
    <condition value="Dot11Radio0">
      <set token="aggrQuery">avg(low) AS 2.4GHz</set>
    </condition>
    <condition value="Dot11Radio1">
      <set token="aggrQuery">avg(high) AS 5.0Ghz</set>
    </condition>
    <condition>
      <set token="aggrQuery">avg(high) AS 5.0Ghz avg(low) AS 2.4GHz</set>
    </condition>
  </change>
</input>

Use $aggrQuery$ token later in your search next to timechart.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

briancronrath · ‎04-03-2017

What if you just made the choice value be what you eval to in your query and pass that as a token?

<input type="radio" token="radio" searchWhenChanged="true">
   <label>Radio</label>
   <choice value="*">All</choice>
   <choice value="avg(low) AS 2.4GHz">2.4 GHz</choice>
   <choice value="avg(high) AS 5.0Ghz">5.0 Ghz</choice>
   <default>*</default>
 </input>

<query>source="snmp://Cisco-Wifi-clients"
             | timechart $radio$</query>

lakromani · ‎04-03-2017

Problem is that I use $radio$ other places in my config, and it's value can not be changed.

niketn · ‎04-03-2017

@lakromani... Shift the logic of your dynamic timechart aggregation from search to your input radio selection's change event. Try the following:

<input type="radio" token="radio" searchWhenChanged="true">
  <label>Radio</label>
  <choice value="*">All</choice>
  <choice value="Dot11Radio0">2.4 GHz</choice>
  <choice value="Dot11Radio1">5.0 Ghz</choice>
  <default>*</default>
  <change>
    <condition value="Dot11Radio0">
      <set token="aggrQuery">avg(low) AS 2.4GHz</set>
    </condition>
    <condition value="Dot11Radio1">
      <set token="aggrQuery">avg(high) AS 5.0Ghz</set>
    </condition>
    <condition>
      <set token="aggrQuery">avg(high) AS 5.0Ghz avg(low) AS 2.4GHz</set>
    </condition>
  </change>
</input>

Use $aggrQuery$ token later in your search next to timechart.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

lakromani · ‎04-03-2017

Perfect. This did what I was looking for. Since the $radio$ was used elsewhere in the script I could not change it.

But I still do not understand why I can not set the $aggrQuery$ within the panel section of the Dashboard. This could be added by the Splunk guys 🙂

niketn · ‎04-03-2017

Splunk has a map command where you can recursively execute SPL for selected field. (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map). I have used makeresults but you can use timechart instead.

  <fieldset>
   <input type="radio" token="radio" searchWhenChanged="true">
   <label>Radio</label>
   <choice value="*">All</choice>
   <choice value="Dot11Radio0">2.4 GHz</choice>
   <choice value="Dot11Radio1">5.0 Ghz</choice>
   <default>*</default>
 </input>
 </fieldset>

  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| eval aggrQuery=case("$radio$"=="Dot11Radio0","avg(low) AS 2.4GHz","$radio$"=="Dot11Radio1","avg(high) AS 5.0Ghz",true(),"avg(high) AS 5.0Ghz avg(low) AS 2.4GHz")
| map search="| makeresults | eval UseMappedresult=\"$aggrQuery$\""</query>
          <sampleRatio>1</sampleRatio>
        </search>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

rcarinha · ‎04-03-2017

Hi lakromani.

You probably need this:

index=_internal user=* | timechart count by user limit=10 | search radio= \"$radio$\"

How to create dynamic commands in search?

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

First Steps with Splunk SOAR

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

Are you a member of the Splunk Community?

How to create dynamic commands in search?

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

First Steps with Splunk SOAR

How To Build a Self-Service Observability Practice with Splunk Observability Cloud