Dashboards & Visualizations

How to use my eval search within a form input in my dashboard?

akocak
Contributor

Hi, thanks upfront for your time,
I have a dashboard with a form input "compare this week vs last week and "compare month vs this month"

<input type="dropdown" token="compare_time">
      <label>Comparison:</label>
      <prefix>"</prefix>
      <suffix>"</suffix>
      <choice value="w">This Week vs Last Week</choice>
      <choice value="month">This Month vs Last Month</choice>
    </input>

I create earliest and latest with evals as:

|eval compare_time="w" #for testing
|eval firsttime = "earliest=-".compare_time."@".compare_time." latest=@".compare_time
|eval timediff=if((compare_time="w"),604800,2419200)
|eval secondtime="earliest=@".compare_time." latest=now"|table firsttime timediff secondtime 

I can get the values I desire on table. However, I can't start my search with these evals that will generate right search times from form input.
please help me use these inputs in my actual search. it should be something like:

| eval firsttime = "earliest=-".$compare_time$."@".$compare_time$." latest=@".$compare_time$
|eval timediff=if(($compare_time$="w"),604800,2419200)
|eval secondtime="earliest=@".$compare_time$." latest=now"
|search [index=x user=$user$ $firsttime$
| multikv | bin _time span=1d| eval reportKey="PreviousAvg"| eval _time=_time + $timediff$ 
]| append [search index=x user=$user$ $secondtime$
| multikv|eval reportKey="CurrentAvg" |bin _time span=1d] 
| timechart avg(duration) as Average by reportKey 
0 Karma
1 Solution

lguinn2
Legend

I think you will be much better off if you use tokens for this. In the following sample, I did most of the work with tokens - the actual search is quite simple and fast

<form>
<label>Sample</label>
<fieldset submitButton="true">
    <!-- Create inputs for user here too-->
    <input type="dropdown" token="period_tok">
    <label>Comparison:</label>
    <choice value="week">This Week vs Last Week</choice>
    <choice value="month">This Month vs Last Month</choice>
    <default>This Week vs Last Week</default>
      <change>
        <condition value="week">
          <set token="date_label">This Week vs Last Week</set>
          <set token="earliest_tok">-2w@w</set>
          <set token="latest_tok">@w</set>
          <set token="split_tok">-1w@w</set>
        </condition>
        <condition value="month">
          <set token="date_label">This Month vs Last Month</set>
          <set token="earliest_tok">-2m@m</set>
          <set token="latest_tok">@m</set>
           <set token="split_tok">-1m@m</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Comparison of $date_label$</title>
      <chart>
        <search>
          <query><![CDATA[index=x user=$user|s$
                    | eval reportKey=if(_time < relative_time(now(),$split_tok|s$),"Last ","This ") . $period_tok|s$
                    | timechart span=1d avg(duration) by reportKey]]>
          </query>
          <earliest>$earliest_tok$</earliest>
          <latest>$latest_tok$</latest>
        </search>
        <option name="charting.axisTitleX.text"></option>
        <option name="charting.axisTitleY.text">Average duration</option>
      </chart>
    </panel>
  </row>
</form>

View solution in original post

lguinn2
Legend

I think you will be much better off if you use tokens for this. In the following sample, I did most of the work with tokens - the actual search is quite simple and fast

<form>
<label>Sample</label>
<fieldset submitButton="true">
    <!-- Create inputs for user here too-->
    <input type="dropdown" token="period_tok">
    <label>Comparison:</label>
    <choice value="week">This Week vs Last Week</choice>
    <choice value="month">This Month vs Last Month</choice>
    <default>This Week vs Last Week</default>
      <change>
        <condition value="week">
          <set token="date_label">This Week vs Last Week</set>
          <set token="earliest_tok">-2w@w</set>
          <set token="latest_tok">@w</set>
          <set token="split_tok">-1w@w</set>
        </condition>
        <condition value="month">
          <set token="date_label">This Month vs Last Month</set>
          <set token="earliest_tok">-2m@m</set>
          <set token="latest_tok">@m</set>
           <set token="split_tok">-1m@m</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Comparison of $date_label$</title>
      <chart>
        <search>
          <query><![CDATA[index=x user=$user|s$
                    | eval reportKey=if(_time < relative_time(now(),$split_tok|s$),"Last ","This ") . $period_tok|s$
                    | timechart span=1d avg(duration) by reportKey]]>
          </query>
          <earliest>$earliest_tok$</earliest>
          <latest>$latest_tok$</latest>
        </search>
        <option name="charting.axisTitleX.text"></option>
        <option name="charting.axisTitleY.text">Average duration</option>
      </chart>
    </panel>
  </row>
</form>

akocak
Contributor

Thanks for the answer, Apparently, I was looking for how to create multi-token dropdown choice input. I adapted your solution to my dashboard and it works. Thanks again

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...