Dashboards & Visualizations

How to select dashboard panel query based on dropdown input selection

Path Finder

I have a dashboard which contains 2 inputs. I have 2 separate queries which would run based on the results of the first input.

< fieldset submitButton="true" autoRun="false">
< input type="dropdown" token="icriteria">
< label>Search Criteria< /label>
< choice value="message
id">Message ID< /choice>
< choice value="from">Sender< /choice>
< choice value="senderdomain">Sender Domain< /choice>
< choice value="x
mailer">X-mailer< /choice>
< /input >
< input type="text" token="s_value" searchWhenChanged="false">
< label>Search Value< /label>
< /input>

If the user selects Message ID, Sender, or Sender Domain, the first query should run. If the user selects X-mailer, the second query should run.

My first query begins with < query>index=mail eventtype=ppsfilter [search index=mail eventtype=ppsfilter *$icriteria$!=xmailer** $icriteria$=$svalue|s$ | stats count by internalmessageid, host | fields internalmessageid, host].......................< /query>*

The second query begins with < query>index=mail eventtype=ppsfilter [search index=mail eventtype=ppsfilter | join messageid [search index=mail eventtype=maildetails *xmailer=$svalue|s$** | stats count by messageid, xmailer| fields xmailer, messageid] | stats count by internalmessageid, host | fields internalmessageid, host]..................< /query>*

Assistance with this will be greatly appreciated.

0 Karma

Splunk Employee
Splunk Employee

@adamblock2 - Just so you know, there is special markup language on this site so certain symbols will transform your post. If you wrap a word in < or >, without wrapping it in a code sample, it will transform your post. If you wish to show the < > (i.e. you are displaying sample code), simply click on the Code Sample icon to the right of the Blockquote icon in the formatting toolbar.

0 Karma

Splunk Employee
Splunk Employee

Hi @adamblock2,
You can use change and condition elements to set up conditional handling of different input values. You can also use a token to represent the query that should run in either case. Depending on the user selection, set that query token to one or the other search strings in your condition elements.

See http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/tokens#Define_tokens_for_conditional_operation...

and

http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/tokens#Conditional_operations_with_form_inputs

You can also check out the dashboards examples app for more info:
https://splunkbase.splunk.com/app/1603/

Hope this helps!

0 Karma

Path Finder

I think that I might be missing something.

My dashboard contains

  • A text input which populates the token "s_value"
  • A dropdown which populates the token "i_criteria"
  • A dropdown which populates the token "d_status"

I updated my i_criteria dropdown to include the following:

< change>
        < condition value="x_mailer">
            < set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter | join message_id [search index=mail eventtype=mail_details x_mailer=$s_value|s$ | stats count by message_id, x_mailer| fields x_mailer, message_id] | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer  by internal_message_id, host | join message_id [search index=mail eventtype=mail_details x_mailer=$s_value|s$ | stats count by message_id, x_mailer| fields x_mailer, message_id] | search delivery_status=$d_status$ | table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set>
        < /condition>
        < condition value="message_id">
            < set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter $i_criteria$!=x_mailer $i_criteria$=$s_value|s$ | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer  by internal_message_id, host | search delivery_status=$d_status$ | join type=outer message_id [search index=mail eventtype=mail_details | eval x_mailer=if(x_mailer="","NULL",x_mailer) | stats count by message_id,x_mailer | fields message_id, x_mailer] |table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set>
        < /condition>
        < condition value="from">
            < set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter $i_criteria$!=x_mailer $i_criteria$=$s_value|s$ | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer  by internal_message_id, host | search delivery_status=$d_status$ | join type=outer message_id [search index=mail eventtype=mail_details | eval x_mailer=if(x_mailer="","NULL",x_mailer) | stats count by message_id,x_mailer | fields message_id, x_mailer] |table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set>
        < /condition>
        < condition value="sender_domain">
            < set token="s_query">index=mail eventtype=pps_filter [search index=mail eventtype=pps_filter $i_criteria$!=x_mailer $i_criteria$=$s_value|s$ | stats count by internal_message_id, host | fields internal_message_id, host] | iplocation hops_ip | stats max(_time) AS _time, values(delivery_status) AS delivery_status, values(subject) AS subject, values(from) AS from, values(rcpt) AS to, values(sender_domain) AS sender_domain, values(hops_ip) AS infr_ip, values(Country) AS country, values(file_name) AS file_name, values(message_id) AS message_id, values(x_mailer) AS x_mailer  by internal_message_id, host | search delivery_status=$d_status$ | join type=outer message_id [search index=mail eventtype=mail_details | eval x_mailer=if(x_mailer="","NULL",x_mailer) | stats count by message_id,x_mailer | fields message_id, x_mailer] |table _time, delivery_status, subject, from, to, sender_domain, infr_ip, country, file_name, message_id, x_mailer | sort _time< /set>
        < /condition>
        < /change>

I then replaced my query statement with < query>$s_query$< /query>

The query does not run. I receive a message "Search Factory: Unknown search command 's'." In addition, the submit button no longer functions.

Any ideas?

Thank you.

0 Karma

Splunk Employee
Splunk Employee

Hm. I'll see if I can replicate the issue in my instance. It might have to do with escaping characters or formatting the search string. I'll report back.

0 Karma

Splunk Employee
Splunk Employee

I tried setting up a similar example with test code.

What worked:
a dropdown whose selection is used (as a token) to conditionally set a query string in a panel.

What didn't work:
Combining tokenized selection or input values from a text box and a dropdown in the query. I don't think they are "aware" of input events on each other, so the query is not getting populated with tokenized values from both the dropdown and the text box.

I'll tinker a bit more with my own source code to see if there's something I can suggest.

0 Karma