Dashboards & Visualizations

How to set up a dashboard that will dynamically choose a search based on time range chosen?

cafissimo
Communicator

Hello,
I would like to set up a dashboard with several panels that have different searches based on the time range chosen.
The time range picker is different for every panel.
For example, if the user chooses "today" as time range, the search to be executed should be

search bar foo | stats count

If the user chooses a time range that does not include a time period of today, the search should be completely different, for example

index=summary_test mickey mouse | timechart count

Thanks in advance and best regards.

0 Karma
1 Solution

sundareshr
Legend

One option would be to show/hide panels based on user selection. For example, try something like this

<input type="time" token="timepicker">
....
<change>
 <condition match="relative_time(now(), $t.earliest$)>=relative_time(now(), "@d")">
   <set token="current">true</set>
   <unset token="historical" />
</condition>
<change>
 <condition match="*">
   <set token="historical">true</set>
   <unset token="current" />
</condition>
</input>
...
<panel depends="$current$" rejects="$historical$">
<chart>
<search>
<query>use current data  | eval dontexecutetilltokenisset="$current$"</query>
</search>
</chart>
</panel>
<panel rejects="$current$" depends="$historical$">
<chart>
<search>
<query>use historical data | eval dontexecutetilltokenisset="$historical$"</query>
</search>
</chart>
</panel>

View solution in original post

0 Karma

sundareshr
Legend

One option would be to show/hide panels based on user selection. For example, try something like this

<input type="time" token="timepicker">
....
<change>
 <condition match="relative_time(now(), $t.earliest$)>=relative_time(now(), "@d")">
   <set token="current">true</set>
   <unset token="historical" />
</condition>
<change>
 <condition match="*">
   <set token="historical">true</set>
   <unset token="current" />
</condition>
</input>
...
<panel depends="$current$" rejects="$historical$">
<chart>
<search>
<query>use current data  | eval dontexecutetilltokenisset="$current$"</query>
</search>
</chart>
</panel>
<panel rejects="$current$" depends="$historical$">
<chart>
<search>
<query>use historical data | eval dontexecutetilltokenisset="$historical$"</query>
</search>
</chart>
</panel>
0 Karma

cafissimo
Communicator

I'd like to use condition and set token method, but it seems to me that values of timerange picker are not being considered inside condition match...
You have written "$t.earliest$" , but the token name should be "timepicker", am I right?

Thanks again.

0 Karma

cafissimo
Communicator

Working form:

<form>
  <label>Test show hide</label>
  <fieldset submitButton="false">
  <input type="time" searchWhenChanged="true">
   <label></label>
   <default>
     <earliest>-7d@w0</earliest>
     <latest>@w0</latest>
   </default>
   <change>
     <condition match='relative_time(now(), $earliest$) &lt; relative_time(now(), "@d")'>
        <set token="historical">true</set>
        <unset token="current" />
    </condition>
      <condition match='relative_time(now(), $earliest$) &gt;= relative_time(now(), "@d")'>
        <set token="current">true</set>
        <unset token="historical" />
    </condition>
   </change>
 </input>
 </fieldset>
  <row>
     <panel depends="$current$" rejects="$historical$">
      <table>
        <search>
          <query>| metadata type=sources | head 10 | table source | eval dontexecutetilltokenisset="$current$"</query>
        </search>
      </table>
    </panel>
    <panel rejects="$current$" depends="$historical$">
      <table>
        <search>
          <query>| metadata type=sourcetypes | head 3 | table sourcetype | eval dontexecutetilltokenisset="$historical$"</query>
        </search>
      </table>
    </panel>
  </row>
</form>

Thanks a lot!!!

MattZerfas
Communicator

Instead of trying to fire off 2 different searches based on what time the user selects I think it might be easier to just create the query so it looks at both your non summary and summary indexed data together that way if a user selects older than today it will would pass that timeframe to your non summarized "today" query which wouldn't find any data and it would also pass that timeframe to your summarized "older than today" query which would have the data and display what you want .

Something like this maybe?

index=nonsummarized  foo=bar | timechart span=1d count by foo | append [ search index=summary  foo=bar  | timechart span=1d count by foo ] 

Both would get passed the timepicker earliest and latest values but depending on the values one of the queries should return a result. I haven't actually tried this out but it's an idea to hopefully not have to key off of the time selected.

0 Karma

rjthibod
Champion

Total shot in the dark here.

Without getting into tokens and hidden base searches/panels, you could try using gentimes and map. You would want to try this out in the search app first to see if it would reasonably work, because you have to do some other formatting to make the map command escape characters in SimpleXML.

| gentimes start=-1 | addinfo | eval earliest_today = relative_time(now(), 0d@d) | eval latest_today = now() | eval mysearch= if (info_min_time >= earliest_today AND info_max_time <= latest_time), "today's search", "other search string" | table mysearch | map search="$mysearch$"
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...