Dashboards & Visualizations

How to pass two different values to Dashboard query.

kanthurao
Engager

We have multiple environments and we have to check whether splunk logs indexed or not. Based on environment we have to run query.

In this below query, it's running as: (Dev1 is missing in env=trafficui)

index=*_dev sourcetype=WebSphere* OR sourcetype=http* env=trafficui OR env=trafficbatchDev1 NOT source=*/nodeagent/* NOT source=*/dmgr/* NOT source=*native_stdout* NOT source=*native_stderr*
| stats min(_time) as FirstTime, max(_time) as lastTime by host index sourcetype source
| convert ctime(FirstTime)
| convert ctime(lastTime)</set>

 

But I wanted like:

index=*_dev sourcetype=WebSphere* OR sourcetype=http* env=trafficuiDev1 OR env=trafficbatchDev1 NOT source=*/nodeagent/* NOT source=*/dmgr/* NOT source=*native_stdout* NOT source=*native_stderr*
| stats min(_time) as FirstTime, max(_time) as lastTime by host index sourcetype source
| convert ctime(FirstTime)
| convert ctime(lastTime)</set>

 

Original Query:

<form>
<label>DEV1 - Logs Indexed</label>
<fieldset submitButton="false" autoRun="true">
<input type="dropdown" token="env_tok" searchWhenChanged="true">
<label>Select Environment</label>
<choice value="Dev1">DEV1</choice>
<choice value="Dev2">DEV2</choice>
<default>Dev1</default>
<initialValue>Dev1</initialValue>
</input>
<input type="dropdown" token="app_tok" searchWhenChanged="true">
<label>Select Application</label>
<fieldForLabel>env</fieldForLabel>
<fieldForValue>env</fieldForValue>
<choice value="trafficui OR env=trafficbatch">Traffic</choice>
<choice value="roadsui OR env=roadsbatch">Roads</choice>
<change>
<condition value="Roads">
<set token="new_search">index=*_dev sourcetype=WebSphere* OR sourcetype=http* env=$app_tok$$env_tok$ NOT source=*/nodeagent/* NOT source=*/dmgr/* NOT source=*native_stdout* NOT source=*native_stderr*
| stats min(_time) as FirstTime, max(_time) as lastTime by host index sourcetype source
| convert ctime(FirstTime)
| convert ctime(lastTime)</set>
</condition>
<default>Roads</default>
<initialValue>Roads</initialValue>
</input>
<input type="time" searchWhenChanged="true">
<label>Select Date</label>
<default>
<earliest>-1d@d</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>$new_search$
</query>
</search>
<option name="showPager">true</option>
<option name="count">50</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>

Labels (1)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@kanthurao 

Yes, Bcoz we did unset the search token.

 <change>
        <condition value="Roads">
          <set token="new_search">env=roadsui$env_tok$ OR env=roadsbatch$env_tok$</set>
        </condition>
        <condition>
          <unset token="new_search"></unset>
        </condition>
      </change>

 

You need to just replace unset with traffic logic. like

<set token="new_search">trafficui OR env=trafficbatch</set>

OR

<set token="new_search">trafficui$env_tok$ OR env=trafficbatch$env_tok$</set>

 

Just make sure changes should be on both Change event. 🙂 

 

KV 

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@kanthurao 

Can you please try by changing condition from

 

<condition value="Roads">

 

to

 

<condition value="roadsui OR env=roadsbatch">

 

 

AND 

need to add change event for env_tok token as well. 

 

My Sample Code:

 

<form script="a.js">
	<label>DEV1 - Logs Indexed</label>
	<fieldset submitButton="false" autoRun="true">
		<input type="dropdown" token="env_tok" searchWhenChanged="true">
			<label>Select Environment</label>
			<choice value="Dev1">DEV1</choice>
			<choice value="Dev2">DEV2</choice>
			<default>Dev1</default>
			<initialValue>Dev1</initialValue>
			<change>
				<condition match="'app_tok' == &quot;roadsui OR env=roadsbatch&quot;">
					<set token="new_search">index=*_dev sourcetype=WebSphere* OR sourcetype=http* env=$app_tok$$env_tok$ NOT source=*/nodeagent/* NOT source=*/dmgr/* NOT source=*native_stdout* NOT source=*native_stderr*
| stats min(_time) as FirstTime, max(_time) as lastTime by host index sourcetype source
| convert ctime(FirstTime)
| convert ctime(lastTime)</set>
				</condition>
				<condition>
				  <unset token="new_search" />
				</condition>
				</change>
		</input>
		<input type="dropdown" token="app_tok" searchWhenChanged="true">
			<label>Select Application</label>
			<fieldForLabel>env</fieldForLabel>
			<fieldForValue>env</fieldForValue>
			<choice value="trafficui OR env=trafficbatch">Traffic</choice>
			<choice value="roadsui OR env=roadsbatch">Roads</choice>
			<change>
				<condition value="roadsui OR env=roadsbatch">
					<set token="new_search">index=*_dev sourcetype=WebSphere* OR sourcetype=http* env=$app_tok$$env_tok$ NOT source=*/nodeagent/* NOT source=*/dmgr/* NOT source=*native_stdout* NOT source=*native_stderr*
| stats min(_time) as FirstTime, max(_time) as lastTime by host index sourcetype source
| convert ctime(FirstTime)
| convert ctime(lastTime)</set>
				</condition>
				<condition>
				  <unset token="new_search" />
				</condition>
				</change>
				<default>Roads</default>
				<initialValue>Roads</initialValue>
			</input>
			<input type="time" searchWhenChanged="true">
				<label>Select Date</label>
				<default>
					<earliest>-1d@d</earliest>
					<latest>now</latest>
				</default>
			</input>
		</fieldset>
		<row>
			<panel>
				<html>$new_search$
				<br />
				$app_tok$
				<br />
				$env_tok$
				</html>
				<html>
<button class="btn btn-primary button2" style="margin-left: 950px; margin-top: -75px; position: absolute;" token="button">Report Of Killed Processes</button>
</html>


				</panel>
		</row>
	</form>

 

 

Thanks
KV
▄︻̷̿┻̿═━一   😉

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma

kanthurao
Engager

@kamlesh_vaghela 

 

But I wanted Dev1 to be added to that query. and if I change to another environment like Dev2, it should change to Dev2.

index=*_dev sourcetype=WebSphere* OR sourcetype=http* env=roadsuiDev1 OR env=roadsbatchDev1 NOT source=*/nodeagent/* NOT source=*/dmgr/* NOT source=*native_stdout* NOT source=*native_stderr*
| stats min(_time) as FirstTime, max(_time) as lastTime by host index sourcetype source
| convert ctime(FirstTime)
| convert ctime(lastTime)</set>

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@kanthurao 

please check my updated answer.

kv

0 Karma

kanthurao
Engager

@kamlesh_vaghela 

Thank you for looking into this.

But Dev1 is not adding into query for "roadsui", it's only adding to "roadsbatchDev1". 

Expected: env=roadsuiDev1 OR env=roadsbatchDev1

Actual:  env=roadsui OR env=roadsbatchDev1

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@kanthurao 

I did some changes. Can you please try this?

<form script="a.js">
  <label>DEV1 - Logs Indexed</label>
  <init><set token="new_search">env=roadsuiDev1 OR env=roadsbatchDev1</set></init>
  <fieldset submitButton="false" autoRun="true">
    <input type="dropdown" token="env_tok" searchWhenChanged="true">
      <label>Select Environment</label>
      <choice value="Dev1">DEV1</choice>
      <choice value="Dev2">DEV2</choice>
      <default>Dev1</default>
      <initialValue>Dev1</initialValue>
      <change>
        <condition match="'form.app_tok' == &quot;Roads&quot;">
          <set token="new_search">env=roadsui$env_tok$ OR env=roadsbatch$env_tok$</set>
        </condition>
        <condition>
          <unset token="new_search"></unset>
        </condition>
      </change>
    </input>
    <input type="dropdown" token="app_tok" searchWhenChanged="true">
      <label>Select Application</label>
      <fieldForLabel>env</fieldForLabel>
      <fieldForValue>env</fieldForValue>
      <choice value="trafficui OR env=trafficbatch">Traffic</choice>
      <choice value="Roads">Roads</choice>
      <change>
        <condition value="Roads">
          <set token="new_search">env=roadsui$env_tok$ OR env=roadsbatch$env_tok$</set>
        </condition>
        <condition>
          <unset token="new_search"></unset>
        </condition>
      </change>
      <default>Roads</default>
      <initialValue>Roads</initialValue>
    </input>
    <input type="time" searchWhenChanged="true">
      <label>Select Date</label>
      <default>
        <earliest>-1d@d</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <html>$new_search$
				<br/>
				$app_tok$
				<br/>
				$env_tok$
				</html>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>index=*_dev sourcetype=WebSphere* OR sourcetype=http* $new_search$ NOT source=*/nodeagent/* NOT source=*/dmgr/* NOT source=*native_stdout* NOT source=*native_stderr*
| stats min(_time) as FirstTime, max(_time) as lastTime by host index sourcetype source
| convert ctime(FirstTime)
| convert ctime(lastTime)</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

KV

0 Karma

kanthurao
Engager

@kamlesh_vaghela 

When I changed to Traffic, it's not working. Please check screen shot.

 

Traffic.PNG

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@kanthurao 

Yes, Bcoz we did unset the search token.

 <change>
        <condition value="Roads">
          <set token="new_search">env=roadsui$env_tok$ OR env=roadsbatch$env_tok$</set>
        </condition>
        <condition>
          <unset token="new_search"></unset>
        </condition>
      </change>

 

You need to just replace unset with traffic logic. like

<set token="new_search">trafficui OR env=trafficbatch</set>

OR

<set token="new_search">trafficui$env_tok$ OR env=trafficbatch$env_tok$</set>

 

Just make sure changes should be on both Change event. 🙂 

 

KV 

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...