Dashboards & Visualizations

How to make panel appear from a conditional token chosen on time picker?

feickertmd
Communicator

I have a timechart on my dashboard. I want people to be able to pick any time for the history of data, but I do not want them to pick the wrong timespans (example: don't ask for 1 month of data at 15-min intervals).

How can I set conditional tokens based on the range of time picked? Can I just use

<condition match=latest-earliest < (some number of seconds for epoch time difference?)>

Thanks!

0 Karma
1 Solution

feickertmd
Communicator

Turns out that the answer was right in the documentation the whole time! (http://docs.splunk.com/Documentation/Splunk/6.6.0/Viz/tokens#Define_conditional_matching). There is a sample of how to do condition based on duration.

Here is my new code:

    <panel>
      <input type="time" token="api_time" searchWhenChanged="true">
        <label></label>
        <default>
          <earliest>-7d@d</earliest>
          <latest>@d</latest>
        </default>
        <change>
          <!-- if time is less than 12 hours, show Hour, 15 Min, Min  -->
          <condition match="relative_time(now(), $api_time.latest$) - relative_time(now(), $api_time.earliest$) < 43201">
            <set token="hour_top">hour</set>
            <unset token="show"></unset>
            <set token="span">15m</set>
          </condition>
          <!-- if time is between 12 hours and 7 days, show Day, Hour, 15 Min  -->
          <condition match="43200 < relative_time(now(), $api_time.latest$) - relative_time(now(), $api_time.earliest$) < 604801">
            <set token="show">show</set>
            <unset token="hour_top"></unset>
            <set token="span">1d</set>
          </condition>
        </change>
      </input>
    </panel>

View solution in original post

0 Karma

feickertmd
Communicator

Turns out that the answer was right in the documentation the whole time! (http://docs.splunk.com/Documentation/Splunk/6.6.0/Viz/tokens#Define_conditional_matching). There is a sample of how to do condition based on duration.

Here is my new code:

    <panel>
      <input type="time" token="api_time" searchWhenChanged="true">
        <label></label>
        <default>
          <earliest>-7d@d</earliest>
          <latest>@d</latest>
        </default>
        <change>
          <!-- if time is less than 12 hours, show Hour, 15 Min, Min  -->
          <condition match="relative_time(now(), $api_time.latest$) - relative_time(now(), $api_time.earliest$) < 43201">
            <set token="hour_top">hour</set>
            <unset token="show"></unset>
            <set token="span">15m</set>
          </condition>
          <!-- if time is between 12 hours and 7 days, show Day, Hour, 15 Min  -->
          <condition match="43200 < relative_time(now(), $api_time.latest$) - relative_time(now(), $api_time.earliest$) < 604801">
            <set token="show">show</set>
            <unset token="hour_top"></unset>
            <set token="span">1d</set>
          </condition>
        </change>
      </input>
    </panel>
0 Karma

woodcock
Esteemed Legend

Please note that this answer has a flaw. Please see here for more details:
https://answers.splunk.com/answers/528570/why-are-conditional-tokens-one-change-behind-for-t.html?ch...

0 Karma

rjthibod
Champion

Regarding how to adjust the span based on the duration, there is also a simpler approach using a subsearch in your timechart command. This does not address the hiding of the panel, but I am not sure why exactly you need to do that in the first place. If you can provide more information as to why you are hiding the panel, I can adjust my feedback.

The basic gist looks like this: | timechart [stats count | addinfo | eval range = info_max_time - info_min_time | eval span = "span=" . case(range &lt; 24*3600+3600, "30m", range &lt; 7*24*3600+3600, "2h", 1=1, "4h") | return $span] useother=f limit=10 sum(alert) by host

The idea is you use the subsearch and its case statement to set the span based on the duration. You can add / remove case options based on your use case.

If you are going to do this a lot, I suggest you turn it into a macro. See top of the blog post i wrote: https://blog.octoinsight.com/customizing-dynamic-time-spans-in-splunk-dashboards/

0 Karma

niketn
Legend

Following is a run anywhere search

Step 1) Create a Lookup table file > time_span_selection.csv for various valid time spans based on Time selection. You should also create Lookup Definition > time_span_selection

time,span,name
hour,30m,"30 min"
hour,15m, "15 min"
hour,5m, "5 min"
hour,1m,"1 min"
day,12h,"12 hour"
day,8h,"8 hour"
day,4h,"4 hour"
day,1h,"1 hour"
day,30m,"30 min"
day,15m,"15 min"
week,1d,"1 day"
week,1h,"1 hour"
month,1w,"1 week"
month,1d,"1 day"

Above is just a sample. You can come up with your own time and spans. The name column will be used as Label in dropdown. Both Lookup table file and Lookup definition should have proper permissions defined for access.
Step 2 Create a new Dashboard (form) and add the following code

      <search>
        <query>| makeresults
    | addinfo
    | eval duration=info_max_time-info_min_time
    | eval duration=case(duration<=86400,"hour",duration>86400 AND duration<=604800,"day",duration>604800 AND duration<=2592000,"week",duration>2592000 AND duration<=7776000,"month",duration>7776000 AND duration<=31536000,"quarter",true(),"year")
    | table duration</query>
        <earliest>$selTime.earliest$</earliest>
        <latest>$selTime.latest$</latest>
        <preview>
          <set token="tok_duration">$result.duration$</set>
        </preview>
      </search>
  <fieldset submitButton="false">
    <input type="time" token="selTime" searchWhenChanged="true">
      <label>Select Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="selSpan" searchWhenChanged="true">
      <label>Select Span</label>
      <fieldForLabel>name</fieldForLabel>
      <fieldForValue>span</fieldForValue>
      <default> </default>
      <initialValue> </initialValue>
      <search>
        <query>| makeresults
| eval time="$tok_duration$"
| lookup time_span_selection time OUTPUT span name
| eval temp=mvzip(span,name)
| mvexpand temp
| eval arrTemp=split(temp,",")
| eval span=mvindex(arrTemp,0)
| eval name=mvindex(arrTemp,1)
| eval span="span=\"".span."\""
| table span name</query>
      </search>
      <choice value=" ">default</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <title>$tok_duration$</title>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=WARN
| timechart $selSpan$ count</query>
          <earliest>$selTime.earliest$</earliest>
          <latest>$selTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>

PS: The dropdown (selSpan) uses Splunk's default span for timechart. I have added Static default option for the same. You can alternatively set the same manually, however there will be changes required in the following
1) Unset selSpan token on changing the Time




2) a) Set searchWhenChanged to false for selSpan dropdown

<input type="dropdown" token="selSpan" searchWhenChanged="true">

2) b) Remove default and initialValue for selSpan
3) Add Submit button to form

 <fieldset submitButton="false">

4) Depends token for row to hide when selSpan token is not set

 `<row depends="$selSpan$">`

PS: You should also consider moving the following query for Selected Time Duration to a macro to control various buckets through knowledge object at a single place and reuse the functionality across dashboards. I have used calculations like 1day=60*60*24=86400 seconds. You can customize and add as per your needs.

 | makeresults
 | addinfo
 | eval duration=info_max_time-info_min_time
 | eval duration=case(duration<=86400,"hour",duration>86400 AND duration<=604800,"day",duration>604800 AND duration<=2592000,"week",duration>2592000 AND duration<=7776000,"month",duration>7776000 AND duration<=31536000,"quarter",true(),"year")
 | table duration

Read about addinfo command which can be used to identify earliest and latest time selected. Read about various SPL commands to handle multi value fields like mvzip, mvexpand, split, mvindex.
Based on your Splunk Enterprise version Search Event Handler to capture result.<fieldname> might change from <preview> to <progress>.

Splunk documentation for reference:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/MultivalueEvalFunctions
http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#Search_event_handlers

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

somesoni2
SplunkTrust
SplunkTrust

You can run a separate search and then set token based on result of that search.

0 Karma

feickertmd
Communicator

Please provide examples. I am a neophyte to the conditionals, and I suspect that i am doing one of the hardest

0 Karma

adonio
Ultra Champion

why let them pick?
use the timechart default settings
read more here:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/timechart

0 Karma

somesoni2
SplunkTrust
SplunkTrust

See the second answer by @niketnilay for how to run a search and set tokens based on search results.
https://answers.splunk.com/answers/506563/how-can-i-show-and-hide-panels-based-on-a-checkbox.html

Once you're a token set, you can use the depends attribute of the panel to show/hide them and/or include them in panel search so that they will not run if the token is null.
https://answers.splunk.com/answers/295399/is-it-possible-to-have-a-checkbox-to-toggle-hiding.html

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...