Dashboards & Visualizations

How to replace columns based on dropdown tokens?

splunklakshman
Explorer

Dear All,

When i select Tractor, i need to get the two columns in below table like VEHICLE_NAME,UNITS
When i select ZEEP, i need to get the two columns in below table like VEHICLE_NAME,UNITS1

Please find the code below. Kindly suggest. Thanks in Advance!

SAMPLE_TEST

<input type="dropdown" token="VEHICLE_NAME" searchWhenChanged="true">
  <label>Select Vehicle</label>
  <choice value="TRACTOR">TRACTOR</choice>
  <choice value="ZEEP">ZEEP</choice>
  <fieldForLabel>VEHICLE_NAME</fieldForLabel>
  <fieldForValue>VEHICLE_NAME</fieldForValue>
  <search>
    <query>index=idx_color | table VEHICLE_NAME | dedup VEHICLE_NAME</query>
    <earliest>0</earliest>
    <latest></latest>
  </search>
  <default>TRACTOR</default>
  <initialValue>TRACTOR</initialValue>
</input>


<panel>
  <table>
    <search>
      <query>index=idx_color VEHICLE_NAME=$VEHICLE_NAME$ | eval UNITS1=coalesce(UNITS1,UNITS)| table VEHICLE_NAME , UNITS,UNITS1 |</query>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">20</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
  </table>
</panel>
1 Solution

niketn
Legend

If you want to use field name as UNITS when VEHICLE_NAME is TRACTOR and fieldname as UNITS1 when the VEHICLE_NAME is ZEEP and both UNITS and UNITS1 are existing fields available in your indexed data, you can try the following (Dropdown's change event handler is coded using eval to set token for dynamic field name😞

 <input type="dropdown" token="VEHICLE_NAME" searchWhenChanged="true">
   <label>Select Vehicle</label>
   <choice value="TRACTOR">TRACTOR</choice>
   <choice value="ZEEP">ZEEP</choice>
   <fieldForLabel>VEHICLE_NAME</fieldForLabel>
   <fieldForValue>VEHICLE_NAME</fieldForValue>
   <search>
     <query>index=idx_color | table VEHICLE_NAME | dedup VEHICLE_NAME</query>
     <earliest>0</earliest>
     <latest></latest>
   </search>
   <default>TRACTOR</default>
   <initialValue>TRACTOR</initialValue>
   <change>
       <eval token="tok_fieldName">case($value$==&quot;TRACTOR&quot;,&quot;UNITS&quot;,1==1,&quot;UNITS1&quot;)</eval>
   </change>
 </input>

 <panel>
   <table>
     <search>
       <query>index=idx_color VEHICLE_NAME=$VEHICLE_NAME$ | table VEHICLE_NAME , $tok_fieldName$ |</query>
       <sampleRatio>1</sampleRatio>
     </search>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

splunklakshman
Explorer

Thanks for your help Niketnilay, i have applied the changes, the logic is working fine but when i select Jeep, the UNITS1 value 10 is not coming. Can you please help.

0 Karma

splunklakshman
Explorer

Sorry the UNITS Value 20 is not coming. Can you please help.

0 Karma

splunklakshman
Explorer

Typo error for UNITS1 , value 20 is not displaying in the row. kindly help.

WHILE SELECT ZEEP FROM DROPDOWN, THE RESULT IS AS BELOW.

VEHICLE_NAME UNITS1
ZEEP

0 Karma

niketn
Legend

I have added comment to my answer. I did not think you required coalesce command since field names UNITS and UNITS1 were related with TRACTOR and ZEEP respectively.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

If you want to use field name as UNITS when VEHICLE_NAME is TRACTOR and fieldname as UNITS1 when the VEHICLE_NAME is ZEEP and both UNITS and UNITS1 are existing fields available in your indexed data, you can try the following (Dropdown's change event handler is coded using eval to set token for dynamic field name😞

 <input type="dropdown" token="VEHICLE_NAME" searchWhenChanged="true">
   <label>Select Vehicle</label>
   <choice value="TRACTOR">TRACTOR</choice>
   <choice value="ZEEP">ZEEP</choice>
   <fieldForLabel>VEHICLE_NAME</fieldForLabel>
   <fieldForValue>VEHICLE_NAME</fieldForValue>
   <search>
     <query>index=idx_color | table VEHICLE_NAME | dedup VEHICLE_NAME</query>
     <earliest>0</earliest>
     <latest></latest>
   </search>
   <default>TRACTOR</default>
   <initialValue>TRACTOR</initialValue>
   <change>
       <eval token="tok_fieldName">case($value$==&quot;TRACTOR&quot;,&quot;UNITS&quot;,1==1,&quot;UNITS1&quot;)</eval>
   </change>
 </input>

 <panel>
   <table>
     <search>
       <query>index=idx_color VEHICLE_NAME=$VEHICLE_NAME$ | table VEHICLE_NAME , $tok_fieldName$ |</query>
       <sampleRatio>1</sampleRatio>
     </search>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn
Legend

@splunklakshman I am not sure what is not working the logic will use field name as UNITS when TRACTOR is selected and UNITS1 when anything else is selected (i.e. for others case is 1==1). Following is simplified version of the same as eval expression to set token will allow double quotes to be used within Simple XML.

<eval token="tok_fieldName">case($value$=="TRACTOR","UNITS",1==1,"UNITS1")</eval>

May be the search query will work if I use original one with coalesce command that you had used. However, I fail to see why you would use coalesce, if you are bothered only for specific column for specific VEHICLE_NAME. Following is the query I think you need:

<query>index=idx_color VEHICLE_NAME=$VEHICLE_NAME$ | eval UNITS1=coalesce(UNITS1,UNITS) | table VEHICLE_NAME , $tok_fieldName$ |</query>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Change your panel search like this
Updated

 <query>index=idx_color VEHICLE_NAME=$VEHICLE_NAME$ | eval UNITS1=coalesce(UNITS1,UNITS)| table VEHICLE_NAME , [|gentimes start=-1 | eval query=if("$VEHICLE_NAME$"="TRACTOR","UNITS","UNITS1") | table query | format "" "" "" "" "" ""]</query>

splunklakshman
Explorer

Dear Somesoni and DalJeanis,

Thanks for the solution, it works as expected.

0 Karma

niketn
Legend

@splunklakshman... Please accept @somesoni2 ' s answer and also upvote @DalJeanis comment, since that is the complete solution for your issue.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

converted somesoni's answer/comment to an answer so that op CAN accept it. 😉

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Thanks @DalJeanis, it was a typo where I was missing equal sign for comparing.

We need single quotes for field names, here the token $VEHICLE_NAME$ gives value (TRACTOR/JEEP), so double quotes is appropriate.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

...pulls out stubby pencil and writes down "token names are not field names..."

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

should that be

| eval query=if("$VEHICLE_NAME$"="TRACTOR","UNITS","UNITS1") 

or

| eval query=if('$VEHICLE_NAME$'="TRACTOR","UNITS","UNITS1")

I can never remember when single-quotes are required... but this is itching like it might be the case...

splunklakshman
Explorer

Error in 'eval' command: The arguments to the 'if' function are invalid.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Will there be always only 2 options in your dropdown, JEEP and TRACTOR?

0 Karma

splunklakshman
Explorer

Jeep and Tractor only in this scenario . Pls help.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...