Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use my eval search within a form input in my dashboard?

akocak
Contributor
‎05-22-2017 10:38 AM

Hi, thanks upfront for your time,
I have a dashboard with a form input "compare this week vs last week and "compare month vs this month"

<input type="dropdown" token="compare_time">
      <label>Comparison:</label>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <choice value="w">This Week vs Last Week</choice>
      <choice value="month">This Month vs Last Month</choice>
    </input>

I create earliest and latest with evals as:

|eval compare_time="w" #for testing
|eval firsttime = "earliest=-".compare_time."@".compare_time." latest=@".compare_time
|eval timediff=if((compare_time="w"),604800,2419200)
|eval secondtime="earliest=@".compare_time." latest=now"|table firsttime timediff secondtime

I can get the values I desire on table. However, I can't start my search with these evals that will generate right search times from form input.
please help me use these inputs in my actual search. it should be something like:

| eval firsttime = "earliest=-".$compare_time$."@".$compare_time$." latest=@".$compare_time$
|eval timediff=if(($compare_time$="w"),604800,2419200)
|eval secondtime="earliest=@".$compare_time$." latest=now"
|search [index=x user=$user$ $firsttime$
| multikv | bin _time span=1d| eval reportKey="PreviousAvg"| eval _time=_time + $timediff$ 
]| append [search index=x user=$user$ $secondtime$
| multikv|eval reportKey="CurrentAvg" |bin _time span=1d] 
| timechart avg(duration) as Average by reportKey
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-22-2017 03:38 PM

I think you will be much better off if you use tokens for this. In the following sample, I did most of the work with tokens - the actual search is quite simple and fast

<form>
<label>Sample</label>
<fieldset submitButton="true">
    <!-- Create inputs for user here too-->
    <input type="dropdown" token="period_tok">
    <label>Comparison:</label>
    <choice value="week">This Week vs Last Week</choice>
    <choice value="month">This Month vs Last Month</choice>
    <default>This Week vs Last Week</default>
      <change>
        <condition value="week">
          <set token="date_label">This Week vs Last Week</set>
          <set token="earliest_tok">-2w@w</set>
          <set token="latest_tok">@w</set>
          <set token="split_tok">-1w@w</set>
        </condition>
        <condition value="month">
          <set token="date_label">This Month vs Last Month</set>
          <set token="earliest_tok">-2m@m</set>
          <set token="latest_tok">@m</set>
           <set token="split_tok">-1m@m</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Comparison of $date_label$</title>
      <chart>
        <search>
          <query><![CDATA[index=x user=$user|s$
                    | eval reportKey=if(_time < relative_time(now(),$split_tok|s$),"Last ","This ") . $period_tok|s$
                    | timechart span=1d avg(duration) by reportKey]]>
          </query>
          <earliest>$earliest_tok$</earliest>
          <latest>$latest_tok$</latest>
        </search>
        <option name="charting.axisTitleX.text"></option>
        <option name="charting.axisTitleY.text">Average duration</option>
      </chart>
    </panel>
  </row>
</form>

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-22-2017 03:38 PM

I think you will be much better off if you use tokens for this. In the following sample, I did most of the work with tokens - the actual search is quite simple and fast

<form>
<label>Sample</label>
<fieldset submitButton="true">
    <!-- Create inputs for user here too-->
    <input type="dropdown" token="period_tok">
    <label>Comparison:</label>
    <choice value="week">This Week vs Last Week</choice>
    <choice value="month">This Month vs Last Month</choice>
    <default>This Week vs Last Week</default>
      <change>
        <condition value="week">
          <set token="date_label">This Week vs Last Week</set>
          <set token="earliest_tok">-2w@w</set>
          <set token="latest_tok">@w</set>
          <set token="split_tok">-1w@w</set>
        </condition>
        <condition value="month">
          <set token="date_label">This Month vs Last Month</set>
          <set token="earliest_tok">-2m@m</set>
          <set token="latest_tok">@m</set>
           <set token="split_tok">-1m@m</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Comparison of $date_label$</title>
      <chart>
        <search>
          <query><![CDATA[index=x user=$user|s$
                    | eval reportKey=if(_time < relative_time(now(),$split_tok|s$),"Last ","This ") . $period_tok|s$
                    | timechart span=1d avg(duration) by reportKey]]>
          </query>
          <earliest>$earliest_tok$</earliest>
          <latest>$latest_tok$</latest>
        </search>
        <option name="charting.axisTitleX.text"></option>
        <option name="charting.axisTitleY.text">Average duration</option>
      </chart>
    </panel>
  </row>
</form>
Reply
Solved! Jump to solution

akocak
Contributor
‎05-23-2017 07:28 AM

Thanks for the answer, Apparently, I was looking for how to create multi-token dropdown choice input. I adapted your solution to my dashboard and it works. Thanks again

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top