Dashboards & Visualizations

How to set two tokens off one dropdown in dashboard?

Communicator

New fun dashboarding issue. I'm trying to set two different tokens off one dropdown. Is this possible?
I have a dropdown input with a token called $application$. I have one dashboard that summarizes things by IP Address and the drilldown for that is set based on a condition. If you click on the Total at the bottom of the table it will set one thing, otherwise it goes for the $click.value$. This drives a second dashboard that uses a kvstore lookup which is prefiltered using a rather clever (I thought anyway) subsearch to set the where clause. This subsearch uses $application$ in it's function narrow the list of IP Addresses it is initially looking at. I'm trying to make it so if I change the dropdown pointing to $application$ I can get it to update the search and rerun it.

So this looks something like this right now:

<init>
  <set token="ip">([subsearch stuff | where application="$application$" | return 1000 IP_Address])</set>
</init>
<input type="dropdown" token="application" searchWhenChanged="true">
</input>
<table>
  <title>Search 1 - By IP address</title>
  <search>some search here | where application=$application$ | stats count by IP_Address 
          | addcoltotals labelfield="IP_Address"</search>
  <drilldown>
    <condition match="match('click.value', &quot;Total&quot;)">
      <set token="ip">([subsearch stuff | where application="$application$" | return 1000 IP_Address])</set>
    </condition>
    <condition>
      <set token="ip">$click.value$</set>
      <eval token="ip">"IP_Address="+$ip$</eval>
    </condition>
  </drilldown>
</table>
<table>
  <title>Search 2 - Details</title>
  <search>| inputlookup kvstorelookup where $ip$ | do some stuff</search>
</table>

So as of right now, as long as I don't change application, I can get Search 1 to affect Search 2 to my hearts content. It will happily switch the value back and forth between IP_Address=someip and the subsearch ([subsearch stuff | where application="$application$" | return 1000 IP_Address]) but when I change the value of $application$ I have to reclick "Total" in Search 1 in order to update the value of $application$ in search two. Effectively what I would like to do is when you change the value of $application$ have it overwrite the value of $ip$ back to the subsearch value with the new application defined.

Oh, the reason I am using the where clause at all on the kvstore is without this the search will take 3x as long (45 seconds instead of 15 seconds). And then once I overwrite the value of $ip$ to just a single IP it will reduce that further down to a ~3 second search. This greatly enhances user experience, if I can just get the last piece to work.

0 Karma
1 Solution

Legend

@fairje seems like you are missing the code for dropdown input application. However, to answer your question, on change of the dropdown value you can set multiple tokens using <change> event handler. The code would look something like the following:

 <input type="dropdown" token="application" searchWhenChanged="true">
 ...
 ...
         <change>
               <set token="ip">([subsearch stuff | where application="$value$" | return 1000 IP_Address])</set>
         </change>
 </input>

PS: Predefined tokens $value$ and $label$ inside the <change> event handlers are used to access selected value and label respective in the dropdown. Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#Event_handler_element

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Legend

@fairje seems like you are missing the code for dropdown input application. However, to answer your question, on change of the dropdown value you can set multiple tokens using <change> event handler. The code would look something like the following:

 <input type="dropdown" token="application" searchWhenChanged="true">
 ...
 ...
         <change>
               <set token="ip">([subsearch stuff | where application="$value$" | return 1000 IP_Address])</set>
         </change>
 </input>

PS: Predefined tokens $value$ and $label$ inside the <change> event handlers are used to access selected value and label respective in the dropdown. Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#Event_handler_element

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Communicator

Ah, I somehow totally overlooked this section of the documentation when I was scratching my head over how to do it. This is exactly what I was looking for!

Yeah, I had left off the excess code since I was trying not to flood the question with a giant wall of text and keep things simpler to understand what I was seeking.

0 Karma

SplunkTrust
SplunkTrust

Okay, when designing complex interactions, you need to make sure that you avoid what is called a "race" condition - where A changes B, which changes A again.

Second, if your token $application$ isn't going to be manipulated by the dropdown, then it doesn't need to be an input... it can just be a naked token. If it is going to be manipulated by the dropdown, then the dropdown should have a source query.

We're going to assume that the source query is there, but you've deleted it to simplify the presentation of your question. If that's the case, you just need a <change> condition on the application dropdown to reset your subsearch.

<fieldset>
  <input type="dropdown" token="application" searchWhenChanged="true">
    <query>your search that populates dropdown</query>
    <fieldForLabel></fieldForLabel>
    <fieldForValue></fieldForValue>
    <change>
      <set token="ip">([subsearch stuff | where application="$value$" | return 1000 IP_Address])</set>
    </change>
  </input>
</fieldset>

updated $application$ to $value$ as per best practices suggestion from @niketnilay

Legend

@DalJeanis just noticed your answer after posting mine... it should be $value$ inside the <change> event handler.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Communicator

Thanks for the answer, looks like using the token name $application$ also does work, but I assume $value$ is the better way to go.

But yes, I just left off data to keep it easier to read what I was actually asking for. My dashboard has a lot more going on than just these elements, but this was ultimately asking the question in the simplest format possible.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!