Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pass two different values to Dashboard query.

kanthurao
Engager
‎10-09-2021 07:23 AM

We have multiple environments and we have to check whether splunk logs indexed or not. Based on environment we have to run query.

In this below query, it's running as: (Dev1 is missing in env=trafficui)

index=*_dev sourcetype=WebSphere* OR sourcetype=http* env=trafficui OR env=trafficbatchDev1 NOT source=*/nodeagent/* NOT source=*/dmgr/* NOT source=*native_stdout* NOT source=*native_stderr*
| stats min(_time) as FirstTime, max(_time) as lastTime by host index sourcetype source
| convert ctime(FirstTime)
| convert ctime(lastTime)</set>

 

But I wanted like:

index=*_dev sourcetype=WebSphere* OR sourcetype=http* env=trafficuiDev1 OR env=trafficbatchDev1 NOT source=*/nodeagent/* NOT source=*/dmgr/* NOT source=*native_stdout* NOT source=*native_stderr*
| stats min(_time) as FirstTime, max(_time) as lastTime by host index sourcetype source
| convert ctime(FirstTime)
| convert ctime(lastTime)</set>

 

Original Query:

<form>
<label>DEV1 - Logs Indexed</label>
<fieldset submitButton="false" autoRun="true">
<input type="dropdown" token="env_tok" searchWhenChanged="true">
<label>Select Environment</label>
<choice value="Dev1">DEV1</choice>
<choice value="Dev2">DEV2</choice>
<default>Dev1</default>
<initialValue>Dev1</initialValue>
</input>
<input type="dropdown" token="app_tok" searchWhenChanged="true">
<label>Select Application</label>
<fieldForLabel>env</fieldForLabel>
<fieldForValue>env</fieldForValue>
<choice value="trafficui OR env=trafficbatch">Traffic</choice>
<choice value="roadsui OR env=roadsbatch">Roads</choice>
<change>
<condition value="Roads">
<set token="new_search">index=*_dev sourcetype=WebSphere* OR sourcetype=http* env=$app_tok$$env_tok$ NOT source=*/nodeagent/* NOT source=*/dmgr/* NOT source=*native_stdout* NOT source=*native_stderr*
| stats min(_time) as FirstTime, max(_time) as lastTime by host index sourcetype source
| convert ctime(FirstTime)
| convert ctime(lastTime)</set>
</condition>
<default>Roads</default>
<initialValue>Roads</initialValue>
</input>
<input type="time" searchWhenChanged="true">
<label>Select Date</label>
<default>
<earliest>-1d@d</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>$new_search$
</query>
</search>
<option name="showPager">true</option>
<option name="count">50</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-10-2021 09:14 PM

@kanthurao 

Yes, Bcoz we did unset the search token.

 <change>
        <condition value="Roads">
          <set token="new_search">env=roadsui$env_tok$ OR env=roadsbatch$env_tok$</set>
        </condition>
        <condition>
          <unset token="new_search"></unset>
        </condition>
      </change>

 

You need to just replace unset with traffic logic. like

<set token="new_search">trafficui OR env=trafficbatch</set>

OR

<set token="new_search">trafficui$env_tok$ OR env=trafficbatch$env_tok$</set>

 

Just make sure changes should be on both Change event. 🙂 

 

KV 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-09-2021 07:49 AM

@kanthurao 

Can you please try by changing condition from

 

<condition value="Roads">

 

to

 

<condition value="roadsui OR env=roadsbatch">

 

 

AND 

need to add change event for env_tok token as well. 

 

My Sample Code:

 

<form script="a.js">
	<label>DEV1 - Logs Indexed</label>
	<fieldset submitButton="false" autoRun="true">
		<input type="dropdown" token="env_tok" searchWhenChanged="true">
			<label>Select Environment</label>
			<choice value="Dev1">DEV1</choice>
			<choice value="Dev2">DEV2</choice>
			<default>Dev1</default>
			<initialValue>Dev1</initialValue>
			<change>
				<condition match="'app_tok' == &quot;roadsui OR env=roadsbatch&quot;">
					<set token="new_search">index=*_dev sourcetype=WebSphere* OR sourcetype=http* env=$app_tok$$env_tok$ NOT source=*/nodeagent/* NOT source=*/dmgr/* NOT source=*native_stdout* NOT source=*native_stderr*
| stats min(_time) as FirstTime, max(_time) as lastTime by host index sourcetype source
| convert ctime(FirstTime)
| convert ctime(lastTime)</set>
				</condition>
				<condition>
				  <unset token="new_search" />
				</condition>
				</change>
		</input>
		<input type="dropdown" token="app_tok" searchWhenChanged="true">
			<label>Select Application</label>
			<fieldForLabel>env</fieldForLabel>
			<fieldForValue>env</fieldForValue>
			<choice value="trafficui OR env=trafficbatch">Traffic</choice>
			<choice value="roadsui OR env=roadsbatch">Roads</choice>
			<change>
				<condition value="roadsui OR env=roadsbatch">
					<set token="new_search">index=*_dev sourcetype=WebSphere* OR sourcetype=http* env=$app_tok$$env_tok$ NOT source=*/nodeagent/* NOT source=*/dmgr/* NOT source=*native_stdout* NOT source=*native_stderr*
| stats min(_time) as FirstTime, max(_time) as lastTime by host index sourcetype source
| convert ctime(FirstTime)
| convert ctime(lastTime)</set>
				</condition>
				<condition>
				  <unset token="new_search" />
				</condition>
				</change>
				<default>Roads</default>
				<initialValue>Roads</initialValue>
			</input>
			<input type="time" searchWhenChanged="true">
				<label>Select Date</label>
				<default>
					<earliest>-1d@d</earliest>
					<latest>now</latest>
				</default>
			</input>
		</fieldset>
		<row>
			<panel>
				<html>$new_search$
				<br />
				$app_tok$
				<br />
				$env_tok$
				</html>
				<html>
<button class="btn btn-primary button2" style="margin-left: 950px; margin-top: -75px; position: absolute;" token="button">Report Of Killed Processes</button>
</html>


				</panel>
		</row>
	</form>

 

 

Thanks
KV
▄︻̷̿┻̿═━一   😉

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Solved! Jump to solution

kanthurao
Engager
‎10-09-2021 01:52 PM

@kamlesh_vaghela 

 

But I wanted Dev1 to be added to that query. and if I change to another environment like Dev2, it should change to Dev2.

index=*_dev sourcetype=WebSphere* OR sourcetype=http* env=roadsuiDev1 OR env=roadsbatchDev1 NOT source=*/nodeagent/* NOT source=*/dmgr/* NOT source=*native_stdout* NOT source=*native_stderr*
| stats min(_time) as FirstTime, max(_time) as lastTime by host index sourcetype source
| convert ctime(FirstTime)
| convert ctime(lastTime)</set>

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-09-2021 10:05 PM

@kanthurao 

please check my updated answer.

kv

0 Karma
Reply
Solved! Jump to solution

kanthurao
Engager
‎10-10-2021 08:15 AM

@kamlesh_vaghela 

Thank you for looking into this.

But Dev1 is not adding into query for "roadsui", it's only adding to "roadsbatchDev1". 

Expected: env=roadsuiDev1 OR env=roadsbatchDev1

Actual:  env=roadsui OR env=roadsbatchDev1

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-10-2021 09:07 AM

@kanthurao 

I did some changes. Can you please try this?

<form script="a.js">
  <label>DEV1 - Logs Indexed</label>
  <init><set token="new_search">env=roadsuiDev1 OR env=roadsbatchDev1</set></init>
  <fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="env_tok" searchWhenChanged="true">
      <label>Select Environment</label>
      <choice value="Dev1">DEV1</choice>
      <choice value="Dev2">DEV2</choice>
      <default>Dev1</default>
      <initialValue>Dev1</initialValue>
      <change>
        <condition match="'form.app_tok' == &quot;Roads&quot;">
          <set token="new_search">env=roadsui$env_tok$ OR env=roadsbatch$env_tok$</set>
        </condition>
        <condition>
          <unset token="new_search"></unset>
        </condition>
      </change>
    </input>
    <input type="dropdown" token="app_tok" searchWhenChanged="true">
      <label>Select Application</label>
      <fieldForLabel>env</fieldForLabel>
      <fieldForValue>env</fieldForValue>
      <choice value="trafficui OR env=trafficbatch">Traffic</choice>
      <choice value="Roads">Roads</choice>
      <change>
        <condition value="Roads">
          <set token="new_search">env=roadsui$env_tok$ OR env=roadsbatch$env_tok$</set>
        </condition>
        <condition>
          <unset token="new_search"></unset>
        </condition>
      </change>
      <default>Roads</default>
      <initialValue>Roads</initialValue>
    </input>
    <input type="time" searchWhenChanged="true">
      <label>Select Date</label>
      <default>
        <earliest>-1d@d</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>$new_search$
				<br/>
				$app_tok$
				<br/>
				$env_tok$
				</html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=*_dev sourcetype=WebSphere* OR sourcetype=http* $new_search$ NOT source=*/nodeagent/* NOT source=*/dmgr/* NOT source=*native_stdout* NOT source=*native_stderr*
| stats min(_time) as FirstTime, max(_time) as lastTime by host index sourcetype source
| convert ctime(FirstTime)
| convert ctime(lastTime)</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

KV

0 Karma
Reply
Solved! Jump to solution

kanthurao
Engager
‎10-10-2021 09:53 AM

@kamlesh_vaghela 

When I changed to Traffic, it's not working. Please check screen shot.

 

Traffic.PNG

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-10-2021 09:14 PM

@kanthurao 

Yes, Bcoz we did unset the search token.

 <change>
        <condition value="Roads">
          <set token="new_search">env=roadsui$env_tok$ OR env=roadsbatch$env_tok$</set>
        </condition>
        <condition>
          <unset token="new_search"></unset>
        </condition>
      </change>

 

You need to just replace unset with traffic logic. like

<set token="new_search">trafficui OR env=trafficbatch</set>

OR

<set token="new_search">trafficui$env_tok$ OR env=trafficbatch$env_tok$</set>

 

Just make sure changes should be on both Change event. 🙂 

 

KV 

0 Karma
Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Top