I work in the Healthcare industry and our customer base can have product versions that range from 6 to 18. For this dashboard, sites with versions less than 15 I have to use one data source. Sites that have versions 15 and over, I have a different set of data sources.
For this dashboard, I have one query for versions below 15 and another query for version 15 and above. I have built a dropdown that lists the Site Name for choices. There is also a time picker to choose date ranges. In order to choose the correct query to run, I need to somehow pass the product version so it knows which one to run and display. How do I create the product version as a token to pass down to decide which query to use?
Here is the start of my dashboard code. Below it is just the two queries I will be choosing from.
<fieldset submitButton="true" autoRun="false">
<input type="dropdown" token="propertyId" searchWhenChanged="false">
<label>Site</label>
<fieldForLabel>FullHospitalName</fieldForLabel>
<fieldForValue>propertyId</fieldForValue>
<search>
<query>| inputlookup HealthcareMasterList.csv
| search ITV=1 AND ITV_INSTALLED>1
| table propertyId FullHospitalName MarinaVersion
| join type=left propertyId
[ search sourcetype=sysconfighost-v*
[| inputlookup HealthcareMasterList.csv
| search ITV=1 AND ITV_INSTALLED>1
| fields propertyId
| format]
| dedup propertyId hostId sortby -dateTime
| stats max(coreVersion) as coreVersion by propertyId]
| eval version=if(isnull(coreVersion),MarinaVersion,coreVersion)
| eval version=substr(version,1,2)
| fields - MarinaVersion coreVersion
| sort FullHospitalName</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="time" token="field1" searchWhenChanged="false">
<label>Date Picker</label>
<default>
<earliest>-1mon@mon</earliest>
<latest>@mon</latest>
</default>
</input>
</fieldset>
With the query above I end up with three fields: propertyId, FullHospitalName, version.
The 'FullHospitalName' is what is displayed in the dropdown. The 'propertyId' is what needs to be passed to the query itself to know what data to collect. How do I use the 'version' field to determine which of the two queries to use?
I have only demonstrated changing a simple string, but you can replace with a complex string for your base search.
<form version="1.1" theme="light">
<search id="base_search">
<query>| makeresults | eval testfield="$tok_searchfieldvalue$" | fields *</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<label>Answers - Classic - Token to Select Base Search</label>
<fieldset submitButton="true" autoRun="false">
<input type="radio" token="tok_searchfieldvalue" searchWhenChanged="false">
<label>Base Query</label>
<choice value="field_value_1">Field Value 1</choice>
<choice value="field_value_2">Field Value 2</choice>
</input>
</fieldset>
<row>
<panel>
<html>search_field_value_change</html>
</panel>
<panel>
<html>$tok_searchfieldvalue$</html>
</panel>
</row>
<row>
<panel>
<table>
<search base="base_search"></search>
</table>
</panel>
</row>
</form>
Here's what I've ended up doing until I can find another solution. I created a dropdown for the version and set up conditions that I then passed to the panels below with my queries to indicate which one to display. I added two panels at the top that tell the user which version to choose from the Marina Version dropdown.
<form version="1.1" theme="light">
<label>Education Title Report</label>
<search>
<query>| inputlookup HealthcareMasterList.csv
| search propertyId=$propertyId$
| table propertyId FullHospitalName MarinaVersion
| join type=left propertyId
[ search sourcetype=sysconfighost-v* earliest=-24@h propertyId=$propertyId$
| dedup propertyId hostId sortby -dateTime
| stats max(coreVersion) as coreVersion by propertyId]
| eval version=if(isnull(coreVersion),MarinaVersion,coreVersion)
| eval version=substr(version,1,2)
| eval version=case(version IN ("6.","10","11","12","14"),"Pre15",version IN ("15","16","17","18"),"Post15",1=1,version)
| fields - MarinaVersion coreVersion</query>
<preview>
<eval token="MarinaVersion">$result.version$</eval>
</preview>
</search>
<fieldset submitButton="true" autoRun="false">
<input type="dropdown" token="propertyId" searchWhenChanged="true">
<label>Site</label>
<fieldForLabel>FullHospitalName</fieldForLabel>
<fieldForValue>propertyId</fieldForValue>
<search>
<query>| inputlookup HealthcareMasterList.csv
| search ITV=1 AND ITV_INSTALLED>1
| table propertyId FullHospitalName MarinaVersion
| join type=left propertyId
[ search sourcetype=sysconfighost-v*
[| inputlookup HealthcareMasterList.csv
| search ITV=1 AND ITV_INSTALLED>1
| fields propertyId
| format]
| dedup propertyId hostId sortby -dateTime
| stats max(coreVersion) as coreVersion by propertyId]
| eval version=if(isnull(coreVersion),MarinaVersion,coreVersion)
| eval version=substr(version,1,2)
| eval version=case(version IN ("6.","10","11","12","14"),"Pre15",version IN ("15","16","17","18"),"Post15",1=1,version)
| fields - MarinaVersion coreVersion
| sort FullHospitalName</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="dropdown" token="WhichVersion">
<label>Marina Version</label>
<choice value="Pre15">Pre15</choice>
<choice value="Post15">Post15</choice>
<choice value="NA">NA</choice>
<change>
<condition value="Post15">
<unset token="NoAssignments"></unset>
<set token="IncludesAssignments">true</set>
<unset token="NoInfo"></unset>
</condition>
<condition value="Pre15">
<set token="NoAssignments">true</set>
<unset token="IncludesAssignments"></unset>
<unset token="NoInfo"></unset>
</condition>
<condition value="NA">
<unset token="NoAssignments"></unset>
<unset token="IncludesAssignments"></unset>
<set token="NoInfo">true</set>
</condition>
</change>
</input>
<input type="time" token="field1" searchWhenChanged="true">
<label>Date Picker</label>
<default>
<earliest>-1mon@mon</earliest>
<latest>@mon</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<html>Please select the following for the Marina Version dropdown:</html>
</panel>
<panel>
<html>$MarinaVersion$</html>
</panel>
</row>
Having the user have to use the version dropdown what not what I wanted to do but this at least works for now until stumble upon a better method.
I've been pondering over this example for a couple days now and I'm still lost as to how to change my current set up to allow the third field determine which query to run based on what software version a customer has.
I'm struggle to understand what "$tok_searchfieldvalue$" represents and how displaying it in a panel will inform the dashboard which of the two queries to run and display results from.
Using the <choice value=......> in the fieldset section is something I haven't worked with before so I'll go try to find more documentation or online use cases for this and see if I can apply those to my situation. Can I have more than two of these <choice value=....> lines? And then could I use one of them to tell the dashboard to say hide one panel but unhide the other one and display it's results?
I appreciate the attempt to help me but I fear I may be too new to these dashboard customizations to grasp how your example applies to mine.
I'll try to answer in order of your response.
$tok_searchfieldvalue$ is only displayed in the panel to visually demonstrate to you how the tokens change and update as you flip the radial button. When transferring the concept to your dashboard you will use it differently. Possibly to replace a large portion of your search or which search to run. You mentioned the SPL changed based on a version threshold above or below.
Yes you can have more choices for radio buttons but very quickly the radio input will get crowded and word wrap. You can have an input which is just a single select drop down if you want to do each specific version number as it's own option. I only demonstrated radio button as your OP indicated only 2 searches(SPL) to pick from so it works visually ok with that.
Yes you can use the choices to trigger panel hide and seek, but that is more advanced. Not impossible but best to start small, you can only eat an elephant one bite at a time.
Here's what I ended up doing: Created a dropdown for the versions and added conditions in that to pass to the panels with the queries. Then I added a row at the top that displays for the user which version to pick from the dropdown. This wasn't what I had in mind but for now it works. Below is the dashboard code in case anyone smarter and more experienced happens to notice something I could improve on.
<form version="1.1" theme="light">
<label>Education Title Report</label>
<search>
<query>| inputlookup HealthcareMasterList.csv
| search propertyId=$propertyId$
| table propertyId FullHospitalName MarinaVersion
| join type=left propertyId
[ search sourcetype=sysconfighost-v* earliest=-24@h propertyId=$propertyId$
| dedup propertyId hostId sortby -dateTime
| stats max(coreVersion) as coreVersion by propertyId]
| eval version=if(isnull(coreVersion),MarinaVersion,coreVersion)
| eval version=substr(version,1,2)
| eval version=case(version IN ("6.","10","11","12","14"),"Pre15",version IN ("15","16","17","18"),"Post15",1=1,version)
| fields - MarinaVersion coreVersion</query>
<preview>
<eval token="MarinaVersion">$result.version$</eval>
</preview>
</search>
<fieldset submitButton="true" autoRun="false">
<input type="dropdown" token="propertyId" searchWhenChanged="true">
<label>Site</label>
<fieldForLabel>FullHospitalName</fieldForLabel>
<fieldForValue>propertyId</fieldForValue>
<search>
<query>| inputlookup HealthcareMasterList.csv
| search ITV=1 AND ITV_INSTALLED>1
| table propertyId FullHospitalName MarinaVersion
| join type=left propertyId
[ search sourcetype=sysconfighost-v*
[| inputlookup HealthcareMasterList.csv
| search ITV=1 AND ITV_INSTALLED>1
| fields propertyId
| format]
| dedup propertyId hostId sortby -dateTime
| stats max(coreVersion) as coreVersion by propertyId]
| eval version=if(isnull(coreVersion),MarinaVersion,coreVersion)
| eval version=substr(version,1,2)
| eval version=case(version IN ("6.","10","11","12","14"),"Pre15",version IN ("15","16","17","18"),"Post15",1=1,version)
| fields - MarinaVersion coreVersion
| sort FullHospitalName</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="dropdown" token="WhichVersion">
<label>Marina Version</label>
<choice value="Pre15">Pre15</choice>
<choice value="Post15">Post15</choice>
<choice value="NA">NA</choice>
<change>
<condition value="Post15">
<unset token="NoAssignments"></unset>
<set token="IncludesAssignments">true</set>
<unset token="NoInfo"></unset>
</condition>
<condition value="Pre15">
<set token="NoAssignments">true</set>
<unset token="IncludesAssignments"></unset>
<unset token="NoInfo"></unset>
</condition>
<condition value="NA">
<unset token="NoAssignments"></unset>
<unset token="IncludesAssignments"></unset>
<set token="NoInfo">true</set>
</condition>
</change>
</input>
<input type="time" token="field1" searchWhenChanged="true">
<label>Date Picker</label>
<default>
<earliest>-1mon@mon</earliest>
<latest>@mon</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<html>Please select the following for the Marina Version dropdown:</html>
</panel>
<panel>
<html>$MarinaVersion$</html>
</panel>
</row>
Ok I understand more where you were coming from now. Unfortunately this method won't work for my situation. I am using a dropdown that displays the actual name of the customer site we want to run this report for and that list is 100+ names. I also needs this list to be dynamic so when new customers are onboarded, they automatically appear in the list.
Now the names correspond to a "propertyId" which is what I have to send to the query to use on the data itself. (Pairing of the names and propertyId's are brought in from an external source and not Splunk event data.) The people I am designing this dashboard for will not have knowledge of what version that site has so they won't know whether to choose a > or < option. That's why I want to set up in the background for the dashboard to choose which query to run based on the name chosen from the dropdown box.
I've started looking at some examples of using "choice value=" and pair that with <change> and <condition label=..> but that appears to either force me to create a value= for every since customer name or only have the choice of < versions and >versions. I'm beginning to think that what I am trying to accomplish cannot be done or at least not done in a dynamic way so that new customers are automatically added. But I will continue my online research and hopefully there will be an example out there that will spark an idea of another way to accomplish this.
Even though I am not yet successful, I do appreciate your response and attempt to help me out!