Solved: Re: How to show/hide panels based on dynamic value...

alinadejeu · ‎07-17-2018

At the top of my dashboard I have a input that lists a variety of Hosts you can select from. In the screenshot example below I have "i_ubuntu1" selected. Once I click/select the host I want to examine, the host value is passed to another input I have to the right labeled "vol" (in the example screenshot below). The vol input takes that host value and lists the corresponding sourcetypes available. The sourcetype input is using the checkbox option. What I would like to do is when you check one of those sourcetype values the corresponding panel shows below. If the checkbox is not select the corresponding panel is not shown.

I have been trying to look at other splunk answers that have been posted about this topic to figure this out but I'm not sure how to get this to apply because my sourcetype input are dynamic values. Is there a way I can set the token to the value of the sourcetype that is checked? Or something similar. I also don't mind using Radio instead of the checkbox if that helps.

renjith_nair · ‎07-17-2018

Hi @alinadejeu ,

If you are using same search for all the sourcetypes in the detailed panel, you could use below. It avoids handling of multiple panels.

<form>
  <label>DrillDown</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="host">
      <label>Host</label>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>|metadata type=hosts|fields host|dedup host</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="checkbox" token="sourcetype">
      <label>Vol</label>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>|tstats count where host=$host$ by sourcetype</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>  OR </delimiter>
    </input>
  </fieldset>
  <row>
    <panel depends="$sourcetype$,$host$">
      <title>Selected Vol : $sourcetype$</title>
      <table>
        <search>
          <query>index=_* host=$host$ sourcetype=$sourcetype$ |stats count by index</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Happy Splunking!

View solution in original post

renjith_nair · ‎07-17-2018

Hi @alinadejeu ,

If you are using same search for all the sourcetypes in the detailed panel, you could use below. It avoids handling of multiple panels.

<form>
  <label>DrillDown</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="host">
      <label>Host</label>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>|metadata type=hosts|fields host|dedup host</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="checkbox" token="sourcetype">
      <label>Vol</label>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>|tstats count where host=$host$ by sourcetype</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter>  OR </delimiter>
    </input>
  </fieldset>
  <row>
    <panel depends="$sourcetype$,$host$">
      <title>Selected Vol : $sourcetype$</title>
      <table>
        <search>
          <query>index=_* host=$host$ sourcetype=$sourcetype$ |stats count by index</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Happy Splunking!

alinadejeu · ‎07-18-2018

So that works.... ish.... the issue is, it does generate the sourcetype lists but when I go to check the box on one of the sourcetypes all of the hidden panels appear.

For example I have 2 sourcetypes:
netstat & arp

If I check the box for sourcetype: netstat both netstat and arp panels show up. I would like it when I click netstat only the netstat panel appears.

renjith_nair · ‎07-18-2018

So you have different panel for each sourcetype and not one panel which uses a single search? Can't it be consolidated? Just trying to understand whether we can improve the performance of the dashboard by decreasing number of searches on it

Happy Splunking!

alinadejeu · ‎07-18-2018

So I am using a Universal Forward to send data (text files) to splunk. These files are completely different from one another which is why i have different sourcetypes. netstat and arp are just 2 of the many files being send. Each time we need to investigate a issue these files are generated for investigative purposes. So the host will always be different but the files we create and ingest into splunk are always for example netstat, arp, etc. So what I was trying to do is create a panel for each file (netstat, arp, etc.) and when you pick on the sourcetype you want, the corresponding panel would show.

renjith_nair · ‎07-18-2018

Ok if you have different panels for each sourcetype, then you have defined sourcetype to check. Try the below then, change the sourcetype and number of panels. I just used radio button, but you could use checkbox as well

<form>
  <label>DrillDown</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="host">
      <label>Host</label>
      <valuePrefix>"</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>|metadata type=hosts|fields host|dedup host</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="radio" token="sourcetype">
      <label>Vol</label>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>|tstats count where host=$host$ by sourcetype</query>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </search>
      <change>
        <condition value="splunkd">
          <set token="panel1">true</set>
          <unset token="panel2"></unset>
          <unset token="panel3"></unset>
        </condition>
        <condition value="splunkd_ui_access">
          <set token="panel2">true</set>
          <unset token="panel1"></unset>
          <unset token="panel3"></unset>
        </condition>   
        <condition value="splunkd_web_access">
          <set token="panel3">true</set>
          <unset token="panel1"></unset>
          <unset token="panel2"></unset>
        </condition>            
      </change>
    </input>
  </fieldset>
  <row>
    <panel depends="$panel1$">
      <title>Selected Vol : $sourcetype$</title>
      <table>
        <search>
          <query>index=_* host=$host$ sourcetype=$sourcetype$ |stats count by index</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$panel2$">
      <title>Selected Vol : $sourcetype$</title>
      <table>
        <search>
          <query>index=_* host=$host$ sourcetype=$sourcetype$ |stats count by index</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>  
  <row>
    <panel depends="$panel3$">
      <title>Selected Vol : $sourcetype$</title>
      <table>
        <search>
          <query>index=_* host=$host$ sourcetype=$sourcetype$ |stats count by index</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>  
</form>

Happy Splunking!

alinadejeu · ‎07-18-2018

I'm not sure where I'm going wrong:

    </input>
    <input type="radio" token="sourcetype">
      <label>Vol</label>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>|tstats count where $host$ by sourcetype</query>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <condition value="netstat">
          <set token="panel1">true</set>
          <unset token="panel2"></unset>
        </condition>
        <condition value="arp">
          <unset token="panel1"></unset>
          <set token="panel2">true</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel depends="$panel1$">
      <title>netstat</title>
      <event>
        <search>
          <query>index=*security_forensics $host$ $sourcetype$</query>

alinadejeu · ‎07-18-2018

I got it, found the typo. Thanks that works! Greatly appreciate it.

How to show/hide panels based on dynamic values?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk