Solved: Re: How to set up a dashboard that will dynamicall...

cafissimo · ‎10-26-2016

Hello,
I would like to set up a dashboard with several panels that have different searches based on the time range chosen.
The time range picker is different for every panel.
For example, if the user chooses "today" as time range, the search to be executed should be

search bar foo | stats count

If the user chooses a time range that does not include a time period of today, the search should be completely different, for example

index=summary_test mickey mouse | timechart count

Thanks in advance and best regards.

sundareshr · ‎10-26-2016

One option would be to show/hide panels based on user selection. For example, try something like this

<input type="time" token="timepicker">
....
<change>
 <condition match="relative_time(now(), $t.earliest$)>=relative_time(now(), "@d")">
   <set token="current">true</set>
   <unset token="historical" />
</condition>
<change>
 <condition match="*">
   <set token="historical">true</set>
   <unset token="current" />
</condition>
</input>
...
<panel depends="$current$" rejects="$historical$">
<chart>
<search>
<query>use current data  | eval dontexecutetilltokenisset="$current$"</query>
</search>
</chart>
</panel>
<panel rejects="$current$" depends="$historical$">
<chart>
<search>
<query>use historical data | eval dontexecutetilltokenisset="$historical$"</query>
</search>
</chart>
</panel>

View solution in original post

sundareshr · ‎10-26-2016

One option would be to show/hide panels based on user selection. For example, try something like this

<input type="time" token="timepicker">
....
<change>
 <condition match="relative_time(now(), $t.earliest$)>=relative_time(now(), "@d")">
   <set token="current">true</set>
   <unset token="historical" />
</condition>
<change>
 <condition match="*">
   <set token="historical">true</set>
   <unset token="current" />
</condition>
</input>
...
<panel depends="$current$" rejects="$historical$">
<chart>
<search>
<query>use current data  | eval dontexecutetilltokenisset="$current$"</query>
</search>
</chart>
</panel>
<panel rejects="$current$" depends="$historical$">
<chart>
<search>
<query>use historical data | eval dontexecutetilltokenisset="$historical$"</query>
</search>
</chart>
</panel>

cafissimo · ‎10-27-2016

I'd like to use condition and set token method, but it seems to me that values of timerange picker are not being considered inside condition match...
You have written "$t.earliest$" , but the token name should be "timepicker", am I right?

Thanks again.

cafissimo · ‎10-27-2016

Working form:

<form>
  <label>Test show hide</label>
  <fieldset submitButton="false">
  <input type="time" searchWhenChanged="true">
   <label></label>
   <default>
     <earliest>-7d@w0</earliest>
     <latest>@w0</latest>
   </default>
   <change>
     <condition match='relative_time(now(), $earliest$) &lt; relative_time(now(), "@d")'>
        <set token="historical">true</set>
        <unset token="current" />
    </condition>
      <condition match='relative_time(now(), $earliest$) &gt;= relative_time(now(), "@d")'>
        <set token="current">true</set>
        <unset token="historical" />
    </condition>
   </change>
 </input>
 </fieldset>
  <row>
     <panel depends="$current$" rejects="$historical$">
      <table>
        <search>
          <query>| metadata type=sources | head 10 | table source | eval dontexecutetilltokenisset="$current$"</query>
        </search>
      </table>
    </panel>
    <panel rejects="$current$" depends="$historical$">
      <table>
        <search>
          <query>| metadata type=sourcetypes | head 3 | table sourcetype | eval dontexecutetilltokenisset="$historical$"</query>
        </search>
      </table>
    </panel>
  </row>
</form>

Thanks a lot!!!

MattZerfas · ‎10-26-2016

Instead of trying to fire off 2 different searches based on what time the user selects I think it might be easier to just create the query so it looks at both your non summary and summary indexed data together that way if a user selects older than today it will would pass that timeframe to your non summarized "today" query which wouldn't find any data and it would also pass that timeframe to your summarized "older than today" query which would have the data and display what you want .

Something like this maybe?

index=nonsummarized  foo=bar | timechart span=1d count by foo | append [ search index=summary  foo=bar  | timechart span=1d count by foo ]

Both would get passed the timepicker earliest and latest values but depending on the values one of the queries should return a result. I haven't actually tried this out but it's an idea to hopefully not have to key off of the time selected.

rjthibod · ‎10-26-2016

Total shot in the dark here.

Without getting into tokens and hidden base searches/panels, you could try using gentimes and map. You would want to try this out in the search app first to see if it would reasonably work, because you have to do some other formatting to make the map command escape characters in SimpleXML.

| gentimes start=-1 | addinfo | eval earliest_today = relative_time(now(), 0d@d) | eval latest_today = now() | eval mysearch= if (info_min_time >= earliest_today AND info_max_time <= latest_time), "today's search", "other search string" | table mysearch | map search="$mysearch$"

How to set up a dashboard that will dynamically choose a search based on time range chosen?

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024