Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use my eval search within a form input in my dashboard?

akocak
Contributor
‎05-22-2017 10:38 AM

Hi, thanks upfront for your time,
I have a dashboard with a form input "compare this week vs last week and "compare month vs this month"

<input type="dropdown" token="compare_time">
      <label>Comparison:</label>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <choice value="w">This Week vs Last Week</choice>
      <choice value="month">This Month vs Last Month</choice>
    </input>

I create earliest and latest with evals as:

|eval compare_time="w" #for testing
|eval firsttime = "earliest=-".compare_time."@".compare_time." latest=@".compare_time
|eval timediff=if((compare_time="w"),604800,2419200)
|eval secondtime="earliest=@".compare_time." latest=now"|table firsttime timediff secondtime

I can get the values I desire on table. However, I can't start my search with these evals that will generate right search times from form input.
please help me use these inputs in my actual search. it should be something like:

| eval firsttime = "earliest=-".$compare_time$."@".$compare_time$." latest=@".$compare_time$
|eval timediff=if(($compare_time$="w"),604800,2419200)
|eval secondtime="earliest=@".$compare_time$." latest=now"
|search [index=x user=$user$ $firsttime$
| multikv | bin _time span=1d| eval reportKey="PreviousAvg"| eval _time=_time + $timediff$ 
]| append [search index=x user=$user$ $secondtime$
| multikv|eval reportKey="CurrentAvg" |bin _time span=1d] 
| timechart avg(duration) as Average by reportKey
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-22-2017 03:38 PM

I think you will be much better off if you use tokens for this. In the following sample, I did most of the work with tokens - the actual search is quite simple and fast

<form>
<label>Sample</label>
<fieldset submitButton="true">
    <!-- Create inputs for user here too-->
    <input type="dropdown" token="period_tok">
    <label>Comparison:</label>
    <choice value="week">This Week vs Last Week</choice>
    <choice value="month">This Month vs Last Month</choice>
    <default>This Week vs Last Week</default>
      <change>
        <condition value="week">
          <set token="date_label">This Week vs Last Week</set>
          <set token="earliest_tok">-2w@w</set>
          <set token="latest_tok">@w</set>
          <set token="split_tok">-1w@w</set>
        </condition>
        <condition value="month">
          <set token="date_label">This Month vs Last Month</set>
          <set token="earliest_tok">-2m@m</set>
          <set token="latest_tok">@m</set>
           <set token="split_tok">-1m@m</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Comparison of $date_label$</title>
      <chart>
        <search>
          <query><![CDATA[index=x user=$user|s$
                    | eval reportKey=if(_time < relative_time(now(),$split_tok|s$),"Last ","This ") . $period_tok|s$
                    | timechart span=1d avg(duration) by reportKey]]>
          </query>
          <earliest>$earliest_tok$</earliest>
          <latest>$latest_tok$</latest>
        </search>
        <option name="charting.axisTitleX.text"></option>
        <option name="charting.axisTitleY.text">Average duration</option>
      </chart>
    </panel>
  </row>
</form>

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-22-2017 03:38 PM

I think you will be much better off if you use tokens for this. In the following sample, I did most of the work with tokens - the actual search is quite simple and fast

<form>
<label>Sample</label>
<fieldset submitButton="true">
    <!-- Create inputs for user here too-->
    <input type="dropdown" token="period_tok">
    <label>Comparison:</label>
    <choice value="week">This Week vs Last Week</choice>
    <choice value="month">This Month vs Last Month</choice>
    <default>This Week vs Last Week</default>
      <change>
        <condition value="week">
          <set token="date_label">This Week vs Last Week</set>
          <set token="earliest_tok">-2w@w</set>
          <set token="latest_tok">@w</set>
          <set token="split_tok">-1w@w</set>
        </condition>
        <condition value="month">
          <set token="date_label">This Month vs Last Month</set>
          <set token="earliest_tok">-2m@m</set>
          <set token="latest_tok">@m</set>
           <set token="split_tok">-1m@m</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Comparison of $date_label$</title>
      <chart>
        <search>
          <query><![CDATA[index=x user=$user|s$
                    | eval reportKey=if(_time < relative_time(now(),$split_tok|s$),"Last ","This ") . $period_tok|s$
                    | timechart span=1d avg(duration) by reportKey]]>
          </query>
          <earliest>$earliest_tok$</earliest>
          <latest>$latest_tok$</latest>
        </search>
        <option name="charting.axisTitleX.text"></option>
        <option name="charting.axisTitleY.text">Average duration</option>
      </chart>
    </panel>
  </row>
</form>
Reply
Solved! Jump to solution

akocak
Contributor
‎05-23-2017 07:28 AM

Thanks for the answer, Apparently, I was looking for how to create multi-token dropdown choice input. I adapted your solution to my dashboard and it works. Thanks again

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...